APPENDIX C 
THE COVENANT TRUST MODEL 

SELF-CERTIFICATION OF DIGITAL SIGNATURE KEYS BY CONTRACT 

Edwin A. Suominen 

A. THE COVENANT TRUST MODEL 

I- BACKGROUND 

With the Electronic Signatures in Global and National Commerce Act of 2000, the 
U.S. Congress gave digital signatures the same legal validity as an ink signature on a 
piece of paper. Now, the sender of an email message, word processing document, or 
any other type of electronic record that can be construed as a written contract can be 
legally bound to that record if the recipient can prove that the sender authenticated the 
record. 

H Electronic records that are signed with digital signatures can be proven, to a very 

% high level of certainty, to be authenticated by the person who caused the digital 
y3 signature to be applied to the record. The digital signature can only be applied with a 
l Z private key, which is an incredibly large number that uniquely corresponds to another 
jj incredibly large number, called a public key. The private key, as its name implies, is 
W kept a strict secret by the person who uses it to sign his or her digital signature. Strong 
Jpi cryptographic software ensures that it is "computationally infeasible" (i.e., very 
W difficult, even with very fast computers) to derive the private key from the public key. 
y When a person signs an electronic record with their private key, a digital signature code 
Q is produced that anyone can verify against the public key, which is publicly accessible. 
PJ The slightest change in a document so signed will cause the digital signature to no 
longer match the document. 

The cryptography used in digital signatures is very strong and nearly impossible 
to tamper with, at least with current technology. But a very old problem remains that 
technology alone cannot entirely solve. That problem is trust. 

The trust problem in digital signatures can be summarized as follows: How do 
you know that the public key really belongs to the person who says it belongs to him or 
her? Anyone can create a public key and call it someone else's, then use the 
corresponding private key to create forged electronic records. The 1998 edition of The 
Global Trust Register, a printed directory of public keys published by a group of 
cryptography experts, states the problem as follows: "[T]here is no cheap and effective 
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way for Internet users to check the validity of public keys on which they may wish to 
rely." 

The experts who wrote The Global Trust Register made that statement in spite of 
the many efforts by Certification Authorities (CAs) to deploy a "hierarchical trust" 
model, where trusted third parties check out the identity of persons who own 
private/ public key pairs. A CA such as Verisign, Entrust, or Thawte will add its digital 
signature to a public key if the public key is tied to the name of a person who physically 
appears with proper documentation to prove their identity. Recipients of documents 
signed with the certified public key are then expected to trust that the CA has done its 
job and that the public key really came from the person whose name is tied to it. 

But what happens when one of the many employees at the CA doesn't do his or 
her job properly? Who is liable for the recipient's reliance on a forged document 
promising delivery of 10,000 widgets for $1M when the sender has pocketed the money 
and run, completely anonymously due to the faceless nature of the Internet? The 
recipient cannot sue the sender if the recipient doesn't know the sender really was. The 
recipient's only course of action is to sue the CA for not doing its job. CAs try to avoid 
liability with disclaimer language in their Certification Practice Statements. 

What about tort claims against the CA? Here's what the text Certification 
Authority Liability Analysis has to say about that: 

A CA's liability for tort claims based on negligence may be limited by the so-called 
"economic loss doctrine." The economic loss doctrine provides that claims for purely 
economic losses based on product defects are not recoverable in tort. The rule holds simply 
that tort liability does not arise for pure economic loss, but only for personal injury or property 
damage. The principles behind this rule are that protecting personal injury and property 
damage claims are more important social policies than pure economic (business) losses, and 
that economic losses are better protected by negotiated contract allocations rather than through 
generalized tort law. (Certification Authority Liability Analysis Section 1.1, American 
Banker's Association, 1998, emphasis added.) 

In addition to the problems with "hierarchical trust" that should now be 
apparent, reliance on the Certification Authority as a trusted third party requires the 
CA to have an established reputation and to keep its digital house in order for a long 
time. It doesn't do much good to have a "trusted" third party certifying a digital 
signature if that third party disappears, loses data, or is found out to have some serious 
security breach in its infrastructure. 

In view of these problems, a system is needed that will translate the direct trust 
from signer to recipient that self-authenticating ink signatures now provide into the 
realm of digital signatures. The solution, it turns out, is combining technology with the 



trusted authentication that ink signatures and signature witnesses have established over 
hundreds of years of history. 

H. THE COVENANT - AN ANCIENT CONCEPT APPLIED TO TECHNOLOGY 

The Covenant Trust Model relies on a person's self -certification of his or her 
public key and a covenant by that person not to repudiate the public key. The 
"Covenant of Non-repudiation" legally binds the owner of the public key to any digital 
signatures created with the corresponding private key. Thus, the liability for proper 
usage of the private key is placed on the shoulders of the person owning the public key, 
where it belongs, and legal reliance can be placed upon the public key and any 
electronic record signed with the corresponding private key. 

The covenant is made in an Authentication and Certification Instrument (AG), a 
legally signed paper document that contains an identification code positively 
identifying the public key in question. The document is signed in ink and witnessed by 
a notary public, thus invoking an authentication system whose trust has been 
established and is universally recognized by our legal system. An example ACI (see 
Appendix A-l) contains the following text: 

I acknowledge and understand that the consequence of executing this authorization and 
certification instrument ("Authorization") is that any electronic record accompanied by a 
digital signature that uniquely corresponds to both the document and the Public Key was 
signed by me, with a negligible level of doubt. I covenant with any bearer of this Authorization 
or facsimile copy thereof not to repudiate such digital signature unless I communicate (directly 
or indirectly) a revocation of the Public Key to the bearer in writing before the signature date. 

The ACI includes security features, discussed below, that make it extremely 
difficult to forge with identification of a different public key, even in a facsimile copy. A 
person receiving a copy of the ACI (from the signer, from the Internet, wherever) is in 
possession of a legal instrument that authenticates a public key without the need for 
trusted third parties. The role of a third party, if one is used at all, is simply to distribute 
facsimile copies of the ACL For additional security, the third party can apply its digital 
signature to the copies of the ACI it distributes to certify them as true copies of the 
original signed in ink. For example, the third party can authenticate PDF or TIFF files 
containing facsimile copies of ACIs with a standard SSL (Secure Sockets Layer) 
certificate issued by a conventional CA. 

The conventional "hierarchical trust" model attempts to establish a chain of 
authenticity to supposedly trusted third parties who are presumed to be doing their 
jobs properly. In contrast, the covenant trust model establishes a chain of authenticity to 
a legal covenant signed with a notarized ink signature on an ACI, in which a public key 



owner promises not to repudiate digital signatures corresponding to that public key. 
The chain of authenticity can begin with initial reliance on the security features of a 
facsimile copy of the ACI and distribution of the ACI via a trusted web site, email 
sender, or remote-access viewing software. Higher up on the chain of authenticity, and 
still convenient to obtain, is digitally-signed certification of the copy by a trusted 
certifier. Still higher on the authenticity chain is the availability of ink-signed certified 
copies of the ACI by the original signer or, for a fee, by a trusted certifier. The ultimate 
link in the chain of authenticity can be provided by making the original notarized, ink- 
signed ACI paper available for inspection by experts, judges, juries, or attorneys during 
dispute resolution. 

B. IMPLEMENTATION OF COVENANT TRUST VIA THE INTERNET 

I. OVERVIEW 

A new type of "Certification Authority" will be deployed at SelfCertify.com 
based on the covenant trust model. Selfcertify.com (discussed here in the present tense 
for convenience) is a certification authority only in the sense that it registers public keys 
and the identity of persons who claim to own those keys, and certifies that copies of 
ACIs it distributes are true copies of originals in its possession. It does not certify the 
identities of the person claiming to own the public keys - those persons make that 
certification themselves in the ACL 

In addition to registering public keys and distributing ACIs for authentication of 
those keys, SelfCertify.com can provide standardized digital certificates (e.g., using the 
X.509 standard) to ensure that its subscriber's public keys can be validated in a manner 
compatible with conventional public key infrastructure. Again, SelfCertify.com does not 
pretend that the trust imparted by its digital certificates is based on its confirmation of 
the identity of its subscribers. Instead, SelfCertify.com makes a policy of only issuing 
certificates for public keys that subscribers have self -certified with their notarized ink 
signatures in ACI documents. By signing a public key with its X.509 certificate, 
SelfCertify.com simply indicates that it has reviewed the original ink ACI and that a 
copy of the document can be freely downloaded from its Web server. 

The use of X.509 or other standard certificates permits SelfCertify.com to live in 
the world of conventional CAs even though it is based on an entirely different trust 
model. Users who accept the covenant trust model can install SelfCertify .corn's root CA 
certificate (the "grandfather" certificate that validates all of its individual certificates) 
into their Web browsers and e-mail applications. As the covenant trust model gains 
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acceptance in E-commerce, the manufacturers of Netscape Navigator and Internet 
Explorer can be expected to incorporate SelfCertify. corn's root CA certificate into their 
browsers, alongside the certificates of VeriSign, entrust, and dozens of other CAs. 
Subscribers who use PGP (Pretty Good Privacy) and are looking for a way to validate 
their public keys outside PGP's "web of trust" model can submit their public keys to 
SelfCertify.com for it to be signed by SelfCertify .corn's own PGP signature. 

Because covenant trust does not require a trusted third party, subscribers 7 public 
keys can be validated directly from the subscriber's ACL The public key of a 
SeKCertify.com subscriber can be validated by freely downloading a copy of the 
subscriber's ACI and checking its positive identification of the public key. Thus, no CA 
certificate is required at all. In fact, subscribers can directly distribute copies of their 
ACI to anyone who will be relying on signatures corresponding to their public keys. 

II. EXAMPLE TRANSACTION USING SELFCERTIFY.COM 

Below is a brief description of an example transaction based on covenant trust. In 
this example transaction, SelfCertify.com serves as a third party for the following: 

1. Freely distributing a compact cryptographic software module to signer 
and recipient with instructions for secure use. The parties use the software 
for generation of the signer's private/ public key pair, generation of the 
signer's digital signature on an electronic record, and validation of the 
digital signature against the signer's public key. 

2. Accepting credit card payment (with SSL encryption), public key codes, 
and full legal names of new subscribers to SelfCertify.com. 

3. Issuing blank ACIs to new subscribers, upon payment, with instructions 
for use. 

4. Scanning original signed ACIs received from new subscribers and posting 
digitally certified copies on the web for free downloading. 

5. Retaining original ACIs in a vault for inspection by experts, judges, juries, 
or attorneys during dispute resolution. 

For convenience, this example refers to a widget vendor named Alice and a 
purchaser named Bob. (These names seem to be used in just about every published 
example of cryptographic transactions.) Alice wishes to sign a purchase agreement 
acknowledging Bob's payment of $1M for 10,000 widgets and promises to deliver the 
widgets immediately. Bob wants to make sure that Alice, the president of Widgets Inc., 
is the person signing the agreement and not some "man-in-the-middle" imposter. 



• Signer Enrollment 

Alice visits SelfCertify.com and quickly downloads a copy of "SelfCertify", a 
simple, compact, secure, and free cryptographic software application for Windows 
98/NT/2000, with versions available for various other operating systems. The 
SelfCertify software installs to the Windows tray as an icon, with various functions 
selectable by right-clicking on the icon. If she wishes to avoid the need for installation, 
Alice has the option of simply downloading a single executable file to her desktop and 
running it from there. For maximum convenience (but possibly less security), a Java 
version of the software can be offered for execution in a web browser. Because 
SelfCertify.com serves its pages under SSL with a certificate issued by a conventional 
CA, Alice is assured that the software is authentic and trustworthy. For additional 
assurance, Alice reviews statements on the security of the software, written and 
digitally signed by various cryptographic experts, and validates the signatures of the 
statements before relying on the software. 

Alice then follows the procedures outlined on SelfCertify.com for generating a 
public key from a secure passphrase. (See Appendix X •) She then gets out her credit 
card and subscribes to SelfCertify.com with her credit card number, public key code, 
and full legal name. 

Selfcertify.com then issues Alice a custom-generated PDF file, from which Alice 
obtains two printed pages. The first page is a blank ACI with a space for her driver's 
license or other photographic ID and the second page is customized security paper with 
Alice's key code printed repeatedly in the background in an outline font. 

Alice tapes her driver's license to the blank ACI in the space provided and places 
it on the glass of her photocopier, with the security paper at the top of her photocopier's 
paper supply. She then photocopies the blank ACI to produce an ACI, ready for her 
signature, with outline digits of her key code throughout its background. 

Alice then checks the key code against her public key to make sure it is accurate, 
goes to the Notary Public down the hall, and executes the ACI in the presence of the 
notary. The notary examines Alice's driver's license, notes (in the ACI) any security 
features of it such as a hologram or colored background lines, and signs and stamps the 
ACI. Alice has now entered into a legally binding covenant with any person bearing the 
ACI or a facsimile copy of it. (So that she can keep a copy for her files and make 
certified copies herself, Alice elects to prepare and execute two original copies of the 
same ACI before the notary.) 
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Alice mails the executed ACI to SelfCertifyxom. Within a few days, 
SelfCertify.com scans the ACI and posts a copy of it on its web site in PDF or TIFF 
format. Selfsertify.com stores the original ACI in a vault for possible inspection in the 
future by experts, judges, juries, or attorneys during dispute resolution. Selfcertify.com 
then emails Alice the following message: 

Your Authorization and Certification Instrument (ACI) has been recorded and you are now 
listed as a fully enrolled subscriber of SeifCertify.com with key ABC01 . Once you enter the 
enrollment password u 3f8u2b" in your SelfCertify software, your software will automatically 
download the latest copy of our public key registry (now including your key) and will 
automatically validate your digital signatures with the following text in any messages you sign: 
"The following text has been signed with a public key registered as key ABC01 at 
SelfCertifyxom. Alice B. Costas has signed a written covenant not to repudiate digital 
signatures created with this public key. To view a copy of this document, click here . The code 
of this public key is BD7D F2FD EC1C DF14 481 1 574F F7CE 7D1E 6EB6 F7E9 CCF7 
208B." Persons relying on your digital signature will be able to easily download and inspect a 
copy of your ACI to legally bind you to that signature. 

• Signer's Digital Signature of Electronic Record 

In her email software, Alice selects the text of her purchase agreement with Bob 
and right-clicks on the SelfCertify icon in the Windows tray. She then selects the menu 
item "sign" and, when prompted, enters her private key passphrase. She will probably 
have to look the passphrase up from a piece of paper in her purse the first few times she 
uses it. Later, she will put the piece of paper in her safe or destroy it if she trusts her 
memory enough. If she forgets or loses the passphrase, it's not a big deal. She only 
needs to create another public key from a new passphrase, cancel her original ACI, and 
request another one to continue signing records. 

As soon as Alice has entered her passphrase, the text she selected in her HTML- 
formatted email is replaced by text that is identical (including any formatting) except 
for a block of hexadecimal codes and the following statement in a reduced-size font: 

I, Alice B. Costas, have signed this document with my public key, which is registered as key 
ABC01 at SelfCertify.com. To verify this signature, click on http://SelflCertify. com/validate to 
download a compact, virus-free signature verification program that confirms the signature and 
public key. The software will allow you to obtain a copy of a paper document that you can use 
to legally bind me to this digital signature. You can also independently validate the public key 
by clicking on http://SeifCertifv.com/7ABC00 1 to view a digitally certified copy of the 
document. 

The formatting of the original text is preserved in the signed version. There is no 
header to the block of signed text because the SelfCertify software automatically 
calculates the beginning of the signed text block based on the number of signed 
characters, which is recorded in the signature block. Alice is free to select only a portion 



of the text for signature. For example, she may choose not to include letterhead at the 
top of her letters in the block of text she signs. 

Alice can also use S/MIME email software such as Netscape Messenger or 
Outlook Express to sign email messages using conventional, standardized digital 
signature technology and the Covenant Trust model, without the need for the 
SelfCertify.com software. However, she needs to sign an ACI with the SHA1 fingerprint 
of her S/MIME public key (called a "Digital ID") to authenticate it under the Covenant 
Trust model. SelfCertify.com then can issue a certificate for her S/MIME public key to 
authenticate it, based on her ACI. 

• Recipient's Validation of Digital Signature 

Bob receives Alice's digitally signed purchase agreement and downloads the 
SelfCertify software from the link provided in Alice's signature block. He also 
downloads a copy of her ACI. Once the software has been installed as an icon, Bob 
selects Alice's entire e-mail and right-clicks on the icon, then selects "Verify." A 
window pops up that says: 



g Since this is a $1M deal and he has never used the software before, Bob is not 

(3 content with the software's assertion that Alice has entered into a legally binding 

1 1 J 

covenant not to repudiate her digital signature with this key. Plus, Bob wants to have 
If! his lawyer look over the language of the covenant. So he clicks on the "here" link and a 

k viewer window pops up with a TIFF copy of Alice's ACI. He prints out the ACI, notes 

ill 

that Alice's signature (which he recognizes from previous paper-based contracts) has 
been notarized and that the key code in the ACI is reproduced throughout the 
background of the document as vertically oriented digits in various outline fonts. The 
digits intermingle with the signatures, notary stamp, handwritten annotations, and 
images from Alice's driver's license. The key code digits even show up in the 
background of Alice's photograph in her driver's license. 

Bob needs no further convincing that Alice was the one who signed purchase 
agreement. His lawyer, however, wants him to check out SelfCertify.com's SSL 
certificate for the copied ACI. Bob downloads the ACI copy from SelfCertify.com and, 
with the image of the ACI in his Web browser, clicks on the "security" button of the 




The following text has been signed with a public key registered as key ABC01 at 
SelfCertify.com. Alice B. Costas has signed a written covenant not to repudiate digital 
signatures created with this public key. To view this paper, click here . The code of this public 
key is BD7D F2FD EC1C DF14 4811 574F F7CE 7D1E 6EB6 F7E9 CCF7 208B. 
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browser. The browser provides a certificate issued to SelfCertify.com from a major CA, 
and Bob's lawyer is satisfied. 

If Alice uses S/MIME to digitally signed her message, Bob can simply trust her 
S/MIME "Digital ID" based on the certificate SelfCertify has issued for it. Thus Alice 
and Bob can use the Direct Trust model with S/MIME signatures and conventional 
digital certificates, trusting selfcertify.com as a CA only for inspecting and verifying 
Alice's CA against the standard covenant language of the ACI, which is published at 
SelfCertify.com. 

Alternatively, Bob can download and review Alice's ACI for her "Digital ID" 
from the web site of SelfCertify.com. If Bob chooses to download Alice's ACI, he will 
need to open Alice's "Digital ID," look for her SHA1 fingerprint, and compare it to the 
fingerprint printed on her ACI. This alternative procedure, while requiring an extra 
step, provides S/MIME signatures based more directly on the Covenant Trust model, 
moving closer to the ultimate link in the chain of authenticity, which is the original 
notarized, ink-signed ACI paper. 

C. THE UNDERLYING TECHNOLOGY 

The following is a brief listing of various aspects of the inventions discussed in 
this appendix: 

• The key code in the ACI can be printed throughout the background of the entire 
paper as vertically oriented digits in various outline fonts. The font types, sizes, 
spacings, and line spacings are varied pseudorandomly in each ACI to make it 
difficult for an attacker to create an identical field of digits, which the attacker 
could use to remove the digits (by an XOR operation) from the ACI and 
substitute his or her own digits. Every bit of text and authenticating indicia in the 
ACI has background digits running through it. This feature (and possibly other 
features such as varying the spacing between digits of the text in a coded 
manner) protects both the signer of the ACI and the person relying on the ACI. 

• The ACI can be created with a two-step procedure using a first page that is a 
blank ACI with a space for her driver's license or other photographic ID and a 
second page that is customized security paper with the subscriber's public key 
code printed repeatedly in the background in an outline font. The subscriber 
tapes his or her photo ID to the blank ACI in the space provided in places it on 
the glass of her photocopier, with the security paper at the top of the 
photocopier's paper supply. The blank ACI is then photocopied to produce an 
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ACI, ready for the subscriber's signature, with outline digits of her key codes 
throughout its background. 

The ACI can include language that makes it the only printed document of its 
type that can be accepted as valid. Additional ACIs can be signed electronically 
for additional keys, but they must be signed with the key that is certified in the 
original paper ACI. Selfcertify.com attaches digitally signed ACIs (for a fee) to 
the PDF or TIFF file in which it distributes the original paper ACL By ensuring 
that the original printed document disclaims all other documents purporting to 
bear the singer's handwritten signature, a " strength in numbers" validity system 
is established that gives the authenticity of a widely distributed ACI, publicly 
available from a trusted server, far more weight than a single forged copy having 
a different key code. This feature helps to protect the signer of the ACL 
The Self Certify software can employ an ECDSA public key signature system with 
NIST Elliptic Curve P-192 (equivalent to 80-bit key length of symmetric cipher). 
The elliptic curve is described by a GF(p) field, where p is prime, to avoid recent 
attacks on elliptic curves from GF(2 m ), where m is a composite of smaller primes. 
See Smart, N. et aL, "Constructive and Destructive Facets of Weil Descent on 
Elliptic Curves/ 7 HP Technical Report HPL-2000-10, 17 January 2000.) A 192-bit 
public key can be represented by 12 groups of 4 hexadecimal digits. The short 
key length made possible by elliptic curve cryptography makes it easy for a 
recipient to visually verify the entire key code against the printed text of an ACI 
and the background security digits. 

The subscriber can be instructed to use a standardized, pronounceable 
passphrase made of "pseudowords" with alternating consonants and vowels. 
The passphrase is designed to be relatively easy to memorize, pronounce, and 
type and is very secure, with an entropy of about 2 64 . The passphrase is created 
with simple, secure system using a piece of paper and a paper clip for random 
selection of digits. 

A SHA-1 hash of the passphrase can be used as the private key, with the 
subscriber's full legal name (from the SelfCertify.com directory) incorporated 
(transparently to the signer) into the passphrase as "salt." The use of salt 
prevents passphrase attacks using pre-computed hashes of passphrases within 
the standardized -2^ passphrase space. 

Formatting of signed text can be preserved after signing. The added text of the 
signature block is formatted in an unobtrusive font that does not detract from the 
appearance of the signed text. The text in the signature block includes a data field 
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with the number of characters being signed, which avoids the need for a 

distracting header block (e.g., " BEGIN PGP SIGNED MESSAGE " in 

PGP). Documents can also be signed as files, in which case the signature resides 
in a separate ".SIG" file, as is conventional 

ACIs can be automatically opened from the software's signature validation 
window, based on the identification information in the signature block, and 
displayed or printed from a compact viewing window. 

### 
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Alice wishes to become a subscriber to SeifCertify.com so that Bob will rely on her public key. 
However, she doesn't wish to go through the hassle of having a paper document sent to her and 
having it signed in the presence of a notary. She also wants people to be able to authenticate her 
public key by hearing a simple recorded statement by her. So, she chooses the "Verbal AC!" 
option on the SelfCertify.com Web site and enters her phone number and the fingerprint of her 
public key into the form. The Web site then lists a phone number and an access code and invites 
her to call the number. 

She dials the number (making sure that call blocking is disables so that SelfCertify.com can detect 
the phone number she's calling from) and enters the access code using the touchtone keys of her 
telephone. She then enters into a brief oral exchange with a computer or human operator at 
SelfCertify.com. The exchange goes something like this: 

SC: This telephone call is being recorded for the permanent records of SeifCertify.com, for the 
purpose of authenticating a public key you are certifying with SelfCertify.com. If you consent to this 
recording and proceeding with the certification process, please state "I agree" and then recite your 
full legal name and mailing address. 

Alice: I agree. My name is Aiice P. Costas, and my address is 537 Main Street, KvsNjt^w 
M^o^ 12345. 

SC: Now that we have your agreement to record this telephone call and proceed, we will ask that 
you carefully read the terms of the "Authentication and Certification Instrument." You will be asked 
to agree to the terms of that document, and your recorded verbal agreement will legally bind you 
to those terms as if you had signed the document with your ink signature. Please state "Yes, it is" 
to confirm with the statement entitled "Authentication and Certification Instrument" is now 
displayed on your web browser at https://www.selfcertify.com/aci32776 and that the document 
refers to a public key with fingerprint 2355 7782 1 193 8001. You will be given an opportunity to 
read the document in a minute if you haven't already done so. Right now, we just ask you to 
confirm that the document is being displayed. 

Alice: Yes, it is. 

SC: Now we will ask you to ensure that you have read the document. We recommend that you 
print the document for your records, as you will be bound to its terms if you proceed. Please say "I 
have read the document" when you have done so. 

Alice: Yes, I've read the document. 

SC: Now please confirm your legally binding agreement with the terms of the document entitled 
"Authentication and Certification Instrument, " displayed on your web browser at 
https://www.selfcertify.com/aci32776 and referring to a public key with fingerprint 2355 7782 

11 93 8001, on this day of . by stating "Yes, I agree to the terms of the 

document." 1 

Aiice: Yes, I agree. 

SC: Sorry, you need to state exactly, "Yes, I agree to the terms of the document." 
Alice: Yes, I agree to the terms of the document. 

SC: Thank you. This includes your verbal certification of your public key. Thank you. 



<End of Recording> 



SIGNED MEDIA STREAMS 

This invention is another aspect of the general concept of calculating a digital 
signature based on all of the contents of an electronic record except an excluded 
signature portion. (The general concept advantageously gets around the circular 
problem of a document essentially signing itself.) 

With modern technology, it is difficult to place trust in the authenticity of a video 
or audio recording. Portions of the recording can be digitally modified in a way that 
even a careful observer cannot detect One advantageous aspect of this invention 
permits a video or audio recording to be validated without requiring special a recording 
format. Another advantageous aspect of this invention performs frame-by frame 
authentication of a recording to ensure that the observer is alerted to unauthenticated 
portions of the recording. 

An attached page includes two figures, one depicting the spectrum of an audio 
recording with an out-of-band transmission of digital signature information, and the 
other depicting the frame-by frame computation and transmission of digital signatures. 
During frame T2, a digital signature SI is computed based on digital samples of the 
recording within frame Tl, and the signature SI is transmitted (along with other digital 
samples of the recording) in frame 13. During frame T3, a digital signature S2 is 
computed based on digital samples of the recording within frame T2, and the signature 
S2 is transmitted (along with other digital samples of the recording) in frame T4 (not 
shown). Optionally, digital signature S2 can include (or consist of) an aggregate 
signature formed from a bitwise modulo sum of the signature and the previous 
signature. 

Advantageously, the video or audio recording can be transmitted and stored 
independent of any specific digital format, as long as the modulated digital signature 
information is faithfully conveyed along with the recording information. To allow for 
degradation of the recording, the signature is preferably computed based on truncated 
samples. An example of a truncated sample is an audio sample (e.g., noisy 16 bits) that 
is set to the nearest value within a truncated binary set (e.g., 8 bits). The likelihood of a 
noisy value being pushed over a boundary between value within the truncated set is 
small, about 2 A (x-y) where x is the full set size in bits and y is the truncated set size in 
bits. 

With x-y=8, the likelihood is 1 in 255, which represents a fairly significant 
probability of signature error in a given frame. Consequently, the number of samples in 
a frame should be kept fairly small. 

More preferably, speech statistics (i.e„ "feature vectors' 7 ) used in speech 
recognition (13 spectral magnitude values within 10 ms frames) can be derived from the 



recording. If the derivation of the statistics can be made robust in the presence of noise, 
less signature errors will result. 

The media player can authenticate the media stream by including a visually 
intuitive authentication display. The display can take into account a running statistic of 
frame authentications, for example by slightly decreasing a "gas gauge" bar for each 
signature error in a moving average of 32 frames. If frames are short enough, the speech 
content will not be suspect unless a large gap occurs. 
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In this paper, we review recent developments in transparent 
data embedding and watermarking for audio, image, and video, 
Data-embedding, and watermarking algorithms embed text, binary 
streams, audio, image, or video in a host audio, image, or video 
signal The embedded data are perceptually inaudible or invisible 
to maintain the quality of the source data. The embedded data 
can add features to the host multimedia signal, e.g., multilingual 
soundtracks in a movie, or provide copyright protection. We discuss 
the reliability of data-embedding procedures and their ability to 
3 deliver new services such as viewing a movie in a given rated 
3 version from a single multicast stream. We also discuss the issues 
H and problems associated with copy and copyright protections and 
^ assess the viability of current watermarking algorithms as a means 
y for protecting copyrighted data. 

if Keywords — Copyright protection, data embedding, steganogra- 
5' phy, watermarking. 



L Introduction 

The past few years have seen an explosion in the use 
J~ of digital media. Industry is making significant investments 
%■ to deliver digital audio, image, arid video information to 
ij consumers and customers. A new infrastructure of digital 
=f a audio, image, and video recorders and players, on-line ser- 
W vices, and electronic commerce is rapidly being deployed. 
At the same time, major corporations are converting their 
audio, image, and video archives to an electronic form. 
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Digital media offer several distinct advantages over ana- 
log media: the quality of digital audio, image, and video 
signals is higher than that of their analog counterparts. 
Editing is easy because one can access the exact discrete 
locations that should be changed. Copying is simple with 
no loss of fidelity. A copy of a digital media is identical 
to the original. Digital audio, image, and videos are easily 
transmitted over networked information systems, 

These advantages have opened up many new possibilities. 
In particular, it is possible to hide data (information) within 
digital audio, image, and video files. The information is 
hidden in the sense that it is perceptually and statistically 
undetectable. With many schemes, the hidden information 
can still be recovered if the host signal is compressed, 
edited, or converted from digital to analog format and back. 

As we shall see in Section II, pure analog data-hiding 
techniques had been developed in the past. However, these 
techniques are not as robust as most of the digital data 
hiding techniques that we review in this paper. Furthermore, 
they cannot embed as much data in a host signal as the 
digital approaches. 

Digital data embedding has many applications. Foremost 
is passive and active copyright protection. Many of the 
inherent advantages of digital signals increase problems 
associated with copyright enforcement. For this reason, cre- 
ators and distributors of digital data are hesitant to provide 
access to their intellectual property. Digital watermarking 
has been proposed as a means to identify the owner or 
distributor of digital data. 

Data embedding also provides a mechanism for embed- 
ding important control, descriptive, or reference information 
in a given signal. This information can be used for tracking 
the use of a particular clip, e.g., for pay-per-use appli- 
cations, including billing for commercials and video and 
audio broadcast, as well as Internet electronic commerce of 
digital media. It can be used to track audio or visual object 
creation, manipulation, and modification history within a 
given signal without the overhead associated with creating 
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he knows that the host signal contains data and is familiar 
with the exact algorithm for embedding the data. Note that 
in some applications, e.g., covert communications, the data 
may also be encrypted prior to insertion in a host signal 

F. Copyright Protection and Ownership Deadlock 

Data-embedding algorithms may be used to establish 
ownership and distribution of data. In fact, this is the 
application of data embedding or watermarking that has 
received most attention in the literature. Unfortunately, 
most current watermarking schemes are unable to resolve 
rightful ownership of digital data when multiple own- 
ership claims are made, i.e., when a deadlock problem 
arises. The inability of many data-embedding algorithms to 
deal with deadlock, first described by Craver et al [15], 
is independent of how the watermark is inserted in the 
multimedia data or how robust it is to various types of 
modifications. 

Today, no scheme can unambiguously determine own- 
ership of a given multimedia signal if it does not use an 
original or other copy in the detection process to at least 
construct' the watermark to be detected. A pirate can simply 
add his watermark to the watermarked data or counterfeit 
a watermark that correlates well or is detected in the 
contested signal. Current data-embedding schemes used as 
copyright-protection algorithms are unable to establish who 
watermarked the data first. Furthermore, none of the current 
data-embedding schemes has been proven to be immune to 
counterfeiting watermarks that will correlate well with a 
given signal as long as the watermark is not restricted to 
depend partially in a noninvertible manner on the signal. 

If the detection scheme can make use of the original 
to construct , the watermark, then it may be possible to 
establish unambiguous ownership of the data regardless of 
whether the detection scheme subtracts the original from the 
signal under consideration prior to watermark detection or 
not Specifically, [16] derives a set of sufficient conditions 
that watermarks and watermarking schemes must satisfy to 
provide unambiguous proof of ownership. For example, one 
can use watermarks derived from pseudorandom sequences 
that depend on the signal and the author. Reference [16] 
establishes that this will work for all watermarking proce- 
dures regardless of whether they subtract the original from 
the signal under consideration prior to watermark detection 
or not. Reference [85] independently derived a similar result 
for a restricted class of watermarking techniques that rely 
on subtracting a signal derived from the original from the 
signal under consideration prior to watermark detection. 
The signal-dependent key also helps to thwart the t4 mix- 
and-match" attack described in [16]. 

An author can construct a watermark that depends on the 
signal and the author and provides unambiguous proof of 
ownership as follows. The author has two random keys xi 
and X2 (i.e., seeds) from which a pseudorandom sequence y 
can be generated using a suitable pseudorandom sequence 
generator [76]. Popular generators include RSA, Rabin, 
Blum/Micali, and Blum/Blum/Shub [25]. With the two 
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proper keys, the watermark may be extracted. Without the 
two keys, the data hidden in the signal are statistically 
undetectable and impossible to recover. Note that classical 
maximal length pseudonoise sequences (i.e., m-sequence) 
generated by linear feedback shift registers are not used 
to generate a watermark. Sequences generated by shift 
registers are cryptographically insecure: one can solve for 
the feedback pattern (i.e., the keys) given a small number 
of output bits y. 

The noise-like sequence y may be used to derive the 
actual watermark hidden into the signal or to control the 
operation of the watermarking algorithm, e.g., to determine 
the location of pixels that may be modified. The key x x 
is author dependent. The key #2 is signal dependent. The 
key xi is the secret key assigned to (or chosen by) the 
author. The key x$ is computed from the signal that the 
author wishes to watermark. It is computed from the signal 
using a one-way hash function. For example, the tolerable 
error levels supplied by masking models (see Section IV) 
are hashed in [85] to a key x%. Any one of a number of 
well-known secure one-way hash functions may be used to 
compute x 2 > including RSA, MD4 [77], and SHA [60]. For 
example, the Blura/Blum/Shub pseudorandom generator 
uses the one-way function y = g n {%) = x 2 modn, where 
n = pq for primes p and q so that p = q = 3mod4. It can 
be shown that generating x or y from partial knowledge- 
. of y is computationally infeasible for the Blum/Blum/Shub 
generator. 

The signal-dependent key x% makes counterfeiting very 
difficult. The pirate can only provide key x\ to the arbitra- 
tor. Key X2 is automatically computed by the watermarking 
algorithm from the original signal. As it is computationally 
infeasible to invert the one-way hash function, the pirate 
is unable to fabricate a counterfeit original that generates a 
desired or predetermined watermark. 

Deadlock may also be resolved using the dual water- 
marking scheme of [85]. That scheme employs a pair 
of watermarks. One watermarking procedure requires the 
original data set for watermark detection. The second wa- 
termarking procedure does not require the original data set. 
A data-embedding technique that satisfies the restrictions 
outlined in [16] can be used to insert the second watermark. 

The above discussion clearly highlights the limitation 
of watermarking as an unambiguous mean of establish- 
ing ownership. Future clever attacks may show that the 
schemes described in [16] or [85] are still vulnerable 
to deadlock. Furthermore, all parties would need to use 
watermarking techniques that have been proven or certified 
to be immune to deadlock to establish ownership of media. 
Note also that contentions of ownership can occur in too 
many different forms. Copyright protection will probably 
not be resolved exclusively by one group or even the 
entire technical community since it involves too many 
legal issues, including the very definition of similarity and 
derived works. Many multidisciplinary efforts are currently 
investigating standards and rules for national and interna- 
tional copyright protection and enforcement in the digital 
age. 
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Fig, 1, Diagram of a data-embedding algorithm. The information 
is embedded into the signal using the embedding algorithm and 
a key. The dashed lines indicate that the algorithm may directly 
exploit perceptual analysis to embed information. 

IV. Signal Insertion: The Role of Masking 

The first problem that all data-embedding and watermark- 
ing schemes need to address is that of inserting data in the 
digital signal without deteriorating its perceptual quality. 
Of course, we must be able to retrieve the data from the 
edited host signal, i.e., the insertion method must also 
be invertible. Since the data-insertion and data-recovery 
procedures are intimately related, the insertion scheme must 
take into account the requirement of the data-embedding 
application. In many applications, we will need to be able 
to retrieve the data even when the host signal has undergone 
modifications, such as compression, editing, or translation 
~ between formats, including A/D'and D/A conversions. 
I Data insertion is possible because the digital medium 
is ultimately consumed by a human. The human hearing 
and visual systems are imperfect detectors. Audio and 
visual signals must have a minimum intensity or contrast 
level before they can be detected by a human. These 
minimum levels depend on the spatial, temporal, and fre- 
quency characteristics of the human auditory and visual 
systems. Further, the human hearing and visual systems are 
characterized by an important phenomenon called masking. 
Masking refers to the fact that a component in a given audio 
or visual signal may become imperceptible in the presence 
of another signal called the masker. Most signal-coding 
techniques (e.g., [41]) exploit the characteristics of the 
human auditory and visual systems directly or indirectly. 
Likewise, all data-embedding techniques exploit the charac- 
teristics of the human auditory and visual systems implicitly 
or explicitly (see Fig. 1). In fact, embedding data would not 
be possible without the limitations of the human visual and 
auditory systems. For example, it is not possible to modify 
a binary stream that represents programs or numbers that 
will be interpreted by a computer. The modification would 
directly and adversely affect the output of the computer. 

A. The Human Auditory System (HAS) 

Audio masking is the effect by which a faint but audible 
sound becomes inaudible in the presence of another louder 
audible sound, i.e., the masker [42]. The masking effect 
depends on the spectral and temporal characteristics of both 
the masked signal and the masker. 

Frequency masking refers to masking between frequency 
components in the audio signal. If two signals that occur 
simultaneously are close together in frequency, the stronger 
masking signal may make the weaker signal inaudible. The 



masking threshold^' a masker depends on the frequency, 
sound pressure level, and tone-like or noise-like character- 
istics of both the masker and the masked signal [61]. It is 
easier for a broad-band noise to mask a tonal signal than for 
a tonal signal to mask out a broad-band noise. Moreover, 
higher frequency signals are more easily masked. 

The human ear acts as a frequency analyzer and can 
detect sounds with frequencies that vary from 10 to 20000 
Hz. The HAS can be modeled by a set of bandpass filters 
with bandwidths that increase with increasing frequency. 
The bands are known as the critical bands. The critical 
bands are defined around a center frequency in which the 
noise bandwidth is increased until there is a just noticeable 
difference in the tone at the center frequency. Thus, if a 
faint tone lies in the critical band of a louder tone, the faint 
tone will not be perceptible. 

Frequency-masking models are readily obtained from the 
current generation of high-quality audio codecs, e.g., the 
masking model defined in the International Standards Or- 
ganization (ISO)-MPEG Audio Psychoacoustic Model 1 for 
Layer I [40]. The Layer I masking method is summarized 
as follows for a 32-kHz sampling rate. The MPEG model 
also supports sampling rates of 44.1 and 48 kHz. 

The frequency mask is computed on localized segments 
(or windows) of the audio signal. The first step consists of 
computing the power spectrum of a short window (512 or 
1024 samples) of the audio signal. Tonal (sinusoidal) and 
nontonal (noisy) components in the spectrum are identified 
because their masking models are different. A tonal compo- 
nent is a local maximum of the spectrum. The auditory sys- 
tem behaves as a bank of bandpass filters, with continuously 
overlapping center frequencies. These "auditory filters" can 
be approximated by rectangular filters with critical band- 
width increasing with frequency. In this model, the audible 
band is therefore divided into 24 nonregular critical bands. 

Next, components below the absolute hearing threshold 
and tonal components separated by less than 0.5 Barks 
are removed. The final step consists of computing indi- 
vidual and global masking thresholds. The frequency axis 
is discretized according to hearing sensitivity and express 
frequencies in Barks. Note that hearing sensitivity is higher 
at low frequencies. The resulting masking curves are almost 
linear and depend on a masking index different for tonal and 
nontonal components. They are characterized by different 
lower and upper slopes depending on the distance between 
the masked and the masking component. We use fi to 
denote the set of frequencies present in the test signal. The 
global masking threshold for each frequency f 2 takes into 
account the absolute hearing threshold S a and the masking 
curves P 2 of the N t tonal components and N n nontonal 
components 
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APPENDIX H 

FILING CONTENTS AUTHENTICATION 

Joe Agent creates a document when filing a patent 
application for a client. He wants an additional piece of 
evidence that the patent application was mailed and that 
what was mailed was the patent application. So, he creates 
a PDF file of the application's text and drawings and 
computes the SHAl hash of the PDF file using some the free 
GPG software ("GNU Privacy 

Guard"), which he trusts. He makes a copy of the Express 
Mail label under which the application is to be mailed 
before having the label initialed and dated by the postal 
worker. 

He then makes a word 97 document that includes a brief 
block of text for a witness to sign and date. The block of 
text includes the Express Mail label and the hash. The 
document displays the digits of the hash as vertically 
oriented digits in various outline fonts, as 

with the aci (see, e.g., Appendix A.) He then puts the 
photocopy of the non-initialed express 

mail label in his printer's paper supply, and prints the 
Word 97 (RTM) document. 

The resulting document bears the image of the non- 
initialed express mail label with the hash of the patent 
application PDF file throughout its background and in a 
block of text of the top. Joe presents the document to Jane 
Attorney, an attorney in the office next door, for her 
dated signature. Now he can present the PDF file and the 
signed and dated paper document as evidence that the patent 
application reproduced in the PDF file existed before the 
express mail label was used to mail a package. This 
provides evidence that the patent application, reproduced 
in the PDF file, was actually what was mailed on the date 
of the express mail label. The proof can be made a bit 



stronger by including the express mail label number in a 
footer on the first page of the patent application, so that 
the PDF file contains the express mail label number shown 
in the document. But that's going way beyond the level of 
evidence currently needed to reconstruct a file lost by the 
PTO. 

This particular embodiment of the inventions can be 
employed any situation where proof of mailing of a 
particular document is desired, without the need for 
digital signatures and the associated hassles of public key 
authentication. The witness to this document doesn't even 

need to know what digital signatures or hash codes are. 
He or she is simply testifying as to the existence of the 
document with that particular code. 
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Multiplicative Group Opinion ( p^eu<Ao^f 0 op\ 
f (x,y) ■ xy mod 2 A N-k, where x t y A N-k; 

■ x where x < 2 A N~k. (y always < 2 A N-k.) 

N = 8 bits 2 N = 256 k-5 p=251 prime modulus 

(>5tO({oyi^ operation with key y1: yj =183 Z] :=f(x. 9 y ^ 
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Multiplicative Group Op^Jon /^5eUcl(W OUft) 
f(x,y) a xy mod 2 A N-k, where x,y A N-k; ^ 1 
= x where x < 2 A N-k. (y always < 2 A N-k.) 
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2 N = 256 



k = 5 
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Multiplicative Group Option (05CK)doafOiAp ) 
f(x,y) = xy mod 2 A N-k, where x,y A N-k; r 
= x where x < 2 A N-k. (y always < 2 A N-k.) 
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Multiplicative Group Op ^on(p^toAoc\f OuP ) 
f(x,y) = xy mod 2 A N-k, where x,y^N-k; J 1 
= x where x < 2 A N-k. (y always < 2 A N-k.) 



N = 16 bits 



2^=65536 k=l5 p =65521 prime modulus 
^$t\)6tOyoap operation with keyyl: y x =6595 z L :=f(x.,y {j 
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Multiplicative Group Op^don ( p<codo(\{o Op) 
f(x,y) = xy mod 2 A N-k, where x,y A N-k; O ' 



= x where x < 2 A N-k. (y always < 2 A N-k.) 

N = 16 bits 2 N =65536 k=15 p =65521 prime modulus 

Xjfoop operation with key y1 : y l = 59624 z l _ : = f (x. ,y x ) 
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Part 2: Commercial Cryptographic 



A post to sducrypt suggested that increasing the IDEA sub 1 
to 32-bit subblocks from the design of 16 bits would increase thef 
of the IDEA algorithm to a factor of 2 32 L Lai answered that the sf * 
of the algorithm was based on the fact that 2 16 + 1 is a prima 
2 3 *+l is not. Lai suggests that the stronger properties of the 
would be compromised. The point is that small changes in struet$| 
have adverse ripple effects on the cryptographic structure tHi 
become serious implementation errors. We look at oilier implemei( 
lv>**f $ ^ h fc^ errors to Chapter 13. . 
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TABLE 1-1: "Pseudogroup" Operation: p=11 (prime), rn=3 bits 
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TABLE 1-2: Key values amv \ro\ts c&5ocul\cc{ uoi-VU-tW\ 

Each row contains iVvpuvvalues producing a given output, except for holes (black squares). 

Each column contains key values producing outputs for a given input, except for holes. 
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A "hole" is an output value that will not occur for any in the set {1 ,2, . . .2 A m} of possible key 
values, given a particular input value in that set. 
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i: (M&&ftfiT) Multiplicative Group Operation x*y mod p, p=17 (prime), m=4 bits 
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TABLE 11-2: Pro^ocfc Operation: p=19 (prime), m=4 bits 
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TABLE H-3: Key values and \aoU<, 0.S5°Citf-W UOiA-U 4Ia£*A 

Each row contains inpwt values producing a given output; except for holes (black squares) 

Each column contains key values producing outputs for a given input, except for holes 
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A "hole" is an output value that will not occur for any,in the set {1,2,... 2^} of possible ihoxkV 
values, given a particular R value in that set. S ' " f 
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function h * holes (y,p,M, short) ; 

% h = holes (y,p,N, short); 

% CONFIDENTIAL AND PROPRIETARY 

% Edwin A* Suominen 

% Finds "holes" - skipped values of set {0,1} A N in result 
% of x*y mod p. 

% Number of values in set S:{0 f 1} A N 
% M = 2 A N; 



%' For vector inputs . 
for k=l: length (y) 

s = 1;M; % Working array of values in set S 

% Zero out values in set that occur ("non-holes") 
for i « 1:M 

j » product (i,y(k) ,p) ; % xy mod p 
% Zero out if not a hole 
if j<=M, s(j) m 0; end 
end 

% Sort decending to get holes first 
z » -sort (-s) ; 

if nargin>3, 
% There can be no more than p-2 A N-l holes. 
% Limit size of result vector (s) accordingly, 
z - z(l:p-M-l); 
% Add result vector to array (if vector y) 

h(:,k) « z f ; 
else 

h{:,k) m s r ; 
end 



end- 
end 



function [yl,y2] - holeplot <p,M) / 



% y holeplct (p,M) 

% Modulus is 2 A N+k, where k is odd 
% p = M + k; 

% Create 1010. . .matrix of holes 
for i - l:M/2, 

% Get holes for each column 

s « holes (M+l-i,p,M) ; 

% Convert to 1010... format 

s = s>0; 

% Convert to text string 
col = M+l-i 
if col<10, 

rl = [• • num2str (ool,2) ] / 
else 

rl'* num2str (col, 2} ; 
end 

yl(i,:) = [ rl *- T num2str(s,l)]; 
end 

for i = l:M/2, 

% Get holes for each column 
s - holes {M-hl-<i+M/2),p,M); 
% Convert to 1010... format 
s « s>0; 

% Convert to text strina 
col - M/2+l-i 
if col<10, 

*1 - [' T nuia2str(col / 2) 1; 
else 



rl - num2str(col,2); 
end 



end 



y2(i,:) - [ rl num2str (s, 1) J ; 



HOLES.M 

## usage: h = holes (y,p,M) 

## Function discovered by Edwin A. Suominen 
## Written for Octave (GNU MATLAB alternative) 

function [h,yi] = holes (y,p,M) 

h = zeros (p-M-1,2) ; 

## Compute inverse of y mod p 
[d,yi] = gcd(p,y) ; 
if ( yi(2) < 0 ) 

yi = p + yi (2) ; 
elseif 

yi = yi(2) ; 
endif 

## Compute column 1 of LUT for this key y: 
i ## holes in ascending order 

J? 2 0; * Counter for iterating next valid hole value 
## For all possible hole values... 
for i = l:p-M-l 

## Compute prospective hole value (may not be valid) 

h(i,l) = M+l - rem( i*y-(p-M-l) ,p); 

## If not valid (if > M ), set to flag value 

if ( (h(i,l)>M) | (h(i,l)<l) ) 

h(i, : ) = zeros (1,2) ; 
else 

kk++; # increment valid holes counter 
endif 

endfor 

## Compute column 2 of LUT for this key y: all possible 
## overflowing values, xy mod p > M, in ascending order 
## For M + ? ^ Unte * f ° r i te ^ting next poss. overflow value 
for T- M^pT ° verflow ) to P" 1 (highest possible)... 

## Compute input value that would produce each 
## possible overflowing output 
if ( rem(i*yi, p) <= M ) # If input valid... 
h(kk2,2) = i; # ...assign overflow to LUT. 
kk2++; # Move to next available LUT entry' 
endif J 
endfor 

## Sort ascending by values in each column 
h = sort (h) ; 

if ( 1+ (length (h)-kk) > length (h) ) 



h 



= 0; # If there are no holes (e.g., for y-1) 



el r= h (1+ (length (h)-kk): length (h),:); # Shrink h to omit flag values 
endif 

endfunction 
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ENCRYPT.M 



## usage: z = encrypt (x,y,N,k) 

## INPUT: input block(s) x, key y, block length N in bits, 

## k offset of modulus from 2 A N (p=2 A N+k) 

## OUTPUT: z = x*y mod (2 A N+k) , but if 

## z >= p, z = ( (z-2 A N)*y - (k-1) ) mod (2 A N+k ) 

## Function discovered by Edwin A. Suominen 

## Written for Octave (GNU MATLAB alternative) 

function z = encrypt (x, y, N, k) 

L = length (x); # multiple input blocks can be supplied in a vector 
z = zeros (L,l); # initialize output vector 

## Enforce k must be odd 

if ( (k/2)==floor (k/2) ) 
, 5 disp{ T 2 A N+k cannot be prime is k is even ! 1 ) ; 
;I 5 return; 
5 endif 

m ## Define set order (M) and modulus (p) 
g M = 2 A N; p = M+k; 

yj ## Compute LUT of holes in ascending order 
i ## for this key y 
Q h = holes (y,p,M) ; 
W Nh = rows (h) ; 

U| ## Basic modulo multipication operation 
p ## Do as array to speed things up 
m z rem(x. *y,p} ; 

## For each element in vector.,, 
for i = 1:L 

## Inventive exception handling 
if (z (i) > M) 

## Map overflowing value to corresponding hole value in LUT 
## If there are no holes (h=l scalar) , this code will not 
## be called because z will always be <= M. 
c - l:Nh; c = c 1 ; # 1,2 ... (# of valid holes) 

c = c .* ( (z(i)"*ones(Nh,l))==h(:,2) ); # Zeros with index of match 
## z = hole from LUT entry having matching overflow value 
z (i) = h (max (c),l); 
endif 



endf or 
endf unction 



DECRYPT.M 

## usage: x = decrypt (z,y r N,k) 

## INPUT: encoded block(s) z, key y, block length. N in. bits, 
## k offset of modulus from 2 A N (p=2 A N+k) 
## OUTPUT: x - z*y A -l mod (2 A N+k) , but if 
## z = h, where h - ( ((l:k)*y - (k-1) ) mod (2 A N+k ) 
## then z = M+a, where 

## a = y A -l * (2*M+(2+p-h) ) mod (2 A N+k) 
## Function discovered by Edwin A. Suominen 
## Written for Octave (GNU MAT LAB alternative) 

function x = decrypt (z,y,N,k) 

L = length (z); # multiple input blocks can be supplied in a vector 

## Enforce k must be odd 

if ( {k/2)==floor (k/2) ) 
jrf disp( T 2 A N+k cannot be prime is k is even!'); 
y return; 
*f endif 

y . | 

m 

'Jjj ## Define set order (M) and modulus (p) 
J M = 2 A N; p = M+k; 

■ If ## Compute LUT of holes in ascending order 
p ## for this key y 

Ui [h,.y] = holes (y,p,M) ; # With two args out, returns -y A -l 
0 if { size(h)==l ) 

111 Nh = 0; # Account for special case of no holes 
O else 

W Nh - rows (h) ; j 
endif 

## Done with encryption key y, now y is modulo inverse of orig, y 

## For all encrypted blocks (values) . . . 
for i = 1:L 

if Nh>0 

## If z(i) has been mapped to a hole, restore to overflowing value 
## For all possible hole values given this key \ 
for j = l:Nh 

## If matches a hole value, remap back 

if (z(i)==h(j,l)), z(i) =h(j,2); endif 
endfor 
endif 

endfor 



Q-4 



## Now invert remapped values in vector 

## Restored overflowing values will be decrypted properly. 

## Do as array to speed things up 

x = rem(z. *y,p) ; # y = y A l at this point 

endf unction 
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HOLETEST.M 



## HOLETEST.M 

## Written for Octave (GNU MAT LAB alternative) 

# Np = 1; M = 128; p = M + 3; 
Np = 1; M = 512; p = M + 9; 

% Try all column (key) values in {1,2,...M} 
for j = 2:M, 

% Get hole values with brute-force lookup method 
xl - holesl ( j /P/M) ; 

% Get hole values using formula discovered by Ed Suominen 
x2 = holes2 ( j , p,M) ; 

disp ( ' ' ) ; 
t* disp ( [ 1 j- 1 , num2str ( j ) ] ) ; 
fe;disp( ! -xl- -x2-'); 
% disp( [xl x2] ) ; 

^ % Compare 

jjerr(j) = sum (abs (xl~x2) ) ; 

y disp([ T Sum of absolute differences = ! , num2str (err ( j ) ) ] ) ; 

« 

Q endf or 



HOLES1.M 



function h holesl (y f p,M) ; 



% h = holesl (y,p,N) ; 

% Finds "holes" - skipped values of set {0,1} A N in result 
% of x*y mod p. Variable length result with only holes. 

% Number of values in set S:{0,1} A N 
% M = 2 A N; 

s = 1:M; % Working array of values in set S 



% Zero out values in set that occur ("non-holes") 
for i = 1:M 

j = rem(i*y,p); % xy mod p 
% Zero out if not a hole 
if j<=M, s(j) = 0; end 
endf or 



% Sort decending to get holes first 
h = -sort (-s) ; 

% Trim off zeros (non-holes) 
Nnz = sum(h>0); h = h(l:Nnz) f ; 



w 

s endfunction 
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HOLES2.M 

function h = holes2 (y, p,M) ; 
% h = holes2 (y,p,M) 

% Finds "holes" - skipped values of set {0,1} A N in result 
% of x*y mod p. 

% Uses equation discovered by Edwin A. Suominen 

% Number of values in set S:{0,1} A N 
% M = 2 A N; 

k = p- (M+l) ; 

% For vector inputs.,, 
for i=l : length (y) 

for j=l:k, 

## Input values between M+l and p will of necessity 
## be mapped to holes (values not produced by inputs 
## from set {1,2,... M} because xy mod p is a bijection 
## (See HAC 1.8 Definition) 
## h(j,i) = rem( (M+j)*y ,p) ; 

## Equation above is simple but doesn't work when 

## M < xy < p (which happens rarely, but it happens) . 

h(j,i) - M+l - rem(j*y(i)-k,p) ; 
endfor 

endfor 

% Map negs. to 0, Sort decending to match formats i 
Nok = sum(h<=M); h = sort (h) ; h - h(l:Nok); 
if Nok==0, h = []; endif 
h. = h.*(h>0) ; 
h = -sort (-h) ; 

% Trim off zeros (non-holes) 
Nnz - sum(h>0); h = h(l:Nnz); 



endfunction 
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octave :56> date 
ans = | 

octave :57> clock 
ans = 

2000.0000 
12.0000. 35.0000 



9.0000 
32.0890 



30.0000 



function 



y3 



octave :58> type holesl 

holesl is the user-defined 

defined from: /1093-2/holesl .m 

function h = holesl (y, p, M) ; 



% h - holesl (y,p,N) ; 

% CONFIDENTIAL AND PROPRIETARY 

% Edwin A. Suominen 

% 091600 - Initial writing 

% Finds "holes" - skipped values of set 
{0,1} A N in result 

% of x*y mod p. Variable length result 
with only holes. 

%. Number of values in set S:{0,1} A N 
% M = 2 A N; 



s = 1:M; 
set S 



% Working array of values in 



% Zero out values in set that occur 
( "non-holes") 
for i = 1:M 

j - rem(i*y,p); % xy mod p 
% Zero out if not a hole 
if j<=M, s ( j } = 0; end 
endfor 



% Sort decending to get holes first 
h = -sort (-s ) ; 

% Trim off zeros (non-holes) 
Nnz = sum(h>0); h « h(l:Nnz) ! ; 

endfunctionoctave : 59> type holes2 

holes2 is the user-defined function 

defined from: /1093-2/holes2 .m 



function h = holes2 (y, p, M) 
h = holes2 (y, p,M) 




% Finds "holes" - skipped values of set 
{ 0 / 1 } A N in result 

% of x*y mod p. _^_ bim 

% Uses equation discovered by EAS | 

% Number of values in set S:{0,1} A N 
% M = 2 A N; 

k = p- (M+l) ; 

% For vector inputs... 
for i=l : length (y) 



for j-l:k, 



## Input values between M+l and p 
will of necessity 

## be mapped to holes (values not 
produced by inputs 

## from set! {1,2, . . .M} because xy mod 
p is a bijection 

## (See HAC;1.8 Definition) 

h(j,i) = rem( (M+j ) *y ,p) ; 

## The simple equation above is 
substituted for; the one below 

## h(j,i) =|M+1 - rem(j*y(i)-k,p); 
endfor 

endfor 

% Map negs, to 0, Sort decending to match 
formats 

Nok = sum(h<=M); h = sort (h) ; h = 
h(l:Nok) ; 

if Nok— 0, h = []; endif 
h - h.*(h>0) ; 
h = -sort (-h) ; 

% Trim off zeros (non-holes) 
Nnz = sum(h>0);:h = h(l:Nnz); 

endfunctionoctave: 60> type holetest 
holetest is the script file: /1093- 
2/holetest .m 



## HOLETEST. M 
## This file 
PROPRIETARY. 



is CONFIDENTIAL 



AND 




## Written 
alternative) 
## REVISION. 



for Octave (GNU MATLAB 



R- 









505 


505 










501 


501 










497 


497 




Np = 1; 


M - 512; p = M + 9; 




493 


493 










489 


489 




% Try 


all column (key) values in 


Sum of 


absolute 


differences 


{1,2, . . 


.M} 










for j = 


2:M, 




j-5 












-xl- 


-x2- 




% Get hole values with brute-force 


lookup 


511 


511 




method 






506 


506 




xl = holesl ( j ,p,M) ; 




501 


501 










496 


496 




% Get 


hole values using 


formula 


491 


491 




discovered j^^^^l 




486 


486 




% by Ed 


Suominen 




481 


481 




x2 = holes2 (j , p,M) ; 




Sum of 


absolute 


differences 


disp('<); 




j=^6 






disp ( [ 1 j= T , num2str ( j ) ] ) ; 




-xl- 


-x2- 




disp ( ' 


-xl- -x2-' ) ; 




509 


509 




disp( [xl x2] ) ; 




\j ^> 


—j \j j 










497 


497 










491 


491 




% Compare 




485 


485 




err ( j } 


= sum{abs (xl-x2) ) ; 




479 


479 




disp([ T Sum of absolute differences = 


473 


473 




' , num2str (err ( j ) ) ] ) ; 




Sum of 


absolute. 


differences 


endforoctave: 61> who 




j-7 












-xl- 


-x2- 




*** currently compiled functions: 




507 


507 










500 


500 




clock 


date holesl holes2 




493 


493 










486 


486 




octave: 


62> holetest 




479 


479 










472 


472 




j=2 






465 


465 




-xl- 


-x2- 




Sum of 


absolute 


differences 


511 


511 










509 


509 




j-8 






507 


507 




-xl- 


-x2- 




505 


505 




505 


505 




Sum of 


absolute differences = 0 




497 


497 










489 


489 




j-3 






481 


481 




-xl- 


-x2- 




473 


473 




512 


512 




465 


465 




509 


509 




457 


457 




506 


506 




Sum of 


absolute 


differences 


503 


503 










500 


500 




1-9 






497 


497 




-xl- 


-x2- 


; 


Sum of 


absolute differences = 0 




512 


512 


1 








503 


503 


i 


j=4 






494 


494 




~xl- 


-x2- 




485 


485 




509 


509 




476 


476 







467 


467 






465 


465 






458 


458 






451 


451 






449 


449 






437 


437 






Sum of 


absolute 


differences 


= 0 


423 
409 


423 
409 






j«10 








Sum of 


absolute 


differences 


; 


-xl- 


-x2- 














511 


511 






j-15 








501 


501 






-xl- 


-x2- 






491 


491 






506 


506 






481 


481 






491 


491 






471 


471 






476 


476 






461 


461 






461 


461 






451 


451 






446 


446 






441 


441 






431 


431 






Sum of 


absolute 


differences 


= 0 


416 

401 


416 

401 






j=ll 








Sum of 


absolute \ 


differences 




-xl- 


-x2- 














510 


510 






j-16 


? 






499 


499 






-xl- 


-x2- 






488 


488 






505 


505 




o 


477 


477 






489 


489 




PI 


466 


4 66 






473 


473 




"5 

rl s 


455 
444 


455 
444 ■ 






457 
441 


457 
441 






433 


433 






425 


425 






Sum of 


absolute 


differences 


= 0 


409 


409 














393 


393 : 




2 v 'i 


j-12 








Sum of 


absolute 


differences 


% 


-xl- 


-x2- 












G 


509 


509 






j=17 






W 


497 


4 97 






-xl- 


-x2- 




f I 


485 


485 






504 


504 




473 
461 
449 
437 
425 


473 
461 
449 
437 
425 






487 
470 
453 
436 
419 


487 
470 
453 
436 
419 






Sum of 


absolute 


differences 


- o 


402 
385 


402 
385 






j-13 








Sum -of 


absolute | differences 




-xl- 


-x2- 














508 


508 . 






j-18 








495 


495 






-xl- 


-x2- 






482 


482 






503 


503 






469 


469 






485 


485 






456 


456 






467 


467 






443 


443 






449 


449 






430 


430 






431 


431 






417 


417 






413 


413 






Sum of 


absolute 


differences 


- 0 


395 
377 


395 
377 






j-14 








Sum of 


absolute 


differences 




-xl- 


-x2- 














507 


507 






j=19 








493 


493 






~xl- 


-x2- 






479 


479 






502 


502 





= 0 



- 0 



= 0 



= 0 



ill 



rs 3 



162 


162 






245 


245 


108 


108 






196 


196 


54 


54 






147 


147 


Sum of 


absolute 


differences 


= 0 


98 


98 










49 


49 


j-468 








Sum of 


absolute differences 


-xl- 


-x2- 










424 


424 






j=473 




371 


371 






-xl- 


-x2~ 


318 


318 






384 


384 


265 


265 






336 


336 


212 


212 






288 


288 


159 


159 






240 


240 


106 


106 






192 


192 


53 


53 






144 


144 


Sum. of 


absolute 


differences 


- 0 


96 


96 ! 










48 


48 


j=469 








Sum of 


absolute; differences 


-xl- 


-x2- 










416 


416 






j-474 




364 


364 






-xl- 


-x2- 


312 


312 






376 


376 


260 


260 






329 


329 


208 


208 






282 


282 j 


156 


156 






235 


235 


104 


104 






188 


188 j 


52 


52 






141 


141 


Sum of 


absolute 


differences 


- 0 


94 


94 










47 


47 


j=470 








Sum of 


absolute! differences 


-xl- 


-x2- 










408 


408 






j-475 


I 


357 


357 






-xl- 


-x2- 


306 


306 






368 


368 


255 


255 






322 


322 


204 


204 






276 


276 


153 


153 






230 


230 


102 


102 






184 


184 


51 


51 






138 


138 


Sum of 


absolute 


differences 


= 0 


92 


92 










46 


46 



j=471 

™xl- -x2- 

400 400 

350 350 

300 300 

250 250 

200 200 

150 150 

100 100 

50 50 

Sum of absolute differences 

j-472 

-xl- -x2- 

392 392 
343 343 
294 294 



- 0 



= 0 



= 0 



- 0 



Sum of absolute ; differences 

3=476 | 

-xl- -x2- i 

360 360 

315 315 ! 

270 270 

225 225 

180 180 



135 
90 
45 



135 
90 
45 



Sum of absolute 

j-477 

-xl- -x2- 
352 352 



differences = 0 



R-7 



308 308 

264 264 

220 220 

176 176 

132 132 

88 88 

44 44 

Sum of absolute differences = 0 

j-478 

-xl- -x2- 



it "=r 



w 

o 

r s;r:::r 

□ 

111 



344 


344 




j=483 




301 


301 




-xl- 


-x2- 


258 


258 




304 


304 


215 


215 




266 


266 


172 


172 




228 


228 


129 


129 




190 


190 


86 


86 




152 


152 


43 


43 




114 


114 


Sum of 


absolute 


differences - 0 


76 


76 








38 


38 


j-479 






Sum of 


absolute 1 differences 


-xl- 


-x2- 






I 


336 


336 




j=484 




294 


294 




-xl- 


-x2- 


252 


252 




296 


296 


210 


210 




259 


259 


168 


168 




222 


222 


126 


126 




185 


185 


84 


84 




148 


148 


42 


42 




111 


111 


Sum of 


absolute 


differences = 0 


74 


74 








37 


37 ; 


j-480 






Sum of 


absolute ! differences 


-xl- 


-x2- 








328 


328 




j-485 






287 


287 




-xl- 


-x2- 




246 


246 




288 


288 




205 


205 




252 


252 




164 


164 




216 


216 




123 


123 




180 


180 




82 


82 




144 


144 




41 


41 




108 


108 




Sum of 


absolute 


differences = 0 


72 


72 










36 


36 




j=481 






Sum of 


absolute 


differences 


-xl- 


-x2- 










320 


320 




j-486 






280 


280 




-xl- 


~x2- 




240 


240 




280 


280 




200 


200 




245 


245 ; 


160 


160 




210 


210 




120 


120 




175 


175 




80 


80 




140 


140 


40 


40 




105 


105 


Sum of 


absolute 


differences = 0 


70 


70 








35 


35 I 


j=482 






Sum of 


absolute 


! differences 



-xl- -x2- 

312 312 

273 273 

234 234 

195 195 

156 156 

117 117 

78 78 

39 39 

Sum of absolute: differences 



= 0 



= 0 



= 0 



- 0 











^0 


— J w 


■ a a i 

j=487 








Sum of 




-xl- 


-x2- 










272 


272 






* AGO 




238 


238 






-xi- 


— xz — 


204 


204 






o o o 

ZoZ 




170 


170 






203 


203 


136 


136 






174 


174 


102 


102 






1 A C 

145 


1 A C 

145 


68 


68 






116 


116 


34 


34 






87 


87 


Sum of 


absolute 


differences 


= 0 


58 


58 










29 


29 


j=488 








Sum of 


absolute 


-xl- 


-x2- 










264 


264 






3=4 y o 




231 


231 






_ v i _ 

XI 


XZ 


198 


198 






O 0 A 

ZZ 4 


99/1 
ZZ4 


165 


165 






196 


19 b ; 


132 


132 






loo 


1 bo i 


99 


99 






140 


14U 


66 


66 






112 


112 


33 


33 






84 


84 


Sum- of 


absolute 


differences 


= 0 


56 


56 










28 


28 


j=489 








Sum of 


absolute i 


~xl- 


-x2- 










256 


256 






j=4 94 




224 


224 






~xl- 


-x2- 


192 


192 






216 


216 


160 


160 






189 


189 


128 


128 






162 


162 


96 


96 






135 


135 


64 


64 






108 


108 


32 


32 






81 


81 ■ j 


Sum of 


absolute 


differences 


= 0 


54 


54 | 










27 


27 .! 


j=490 








Sum of 


absolute | 


~xl- 


-x2- 










248 


248 






j =4 3d 




217 


217 






-xl- 


-xz- 


186 


186 






208 


o a n 

208 


155 


155 






182 


182 | 


124 


124 






lob 


loo 


93 


93 






i on 

iou 


i on 

lou 


62 


62 








1 U 4 ; 


31 


31 






/ o 


"7 O i 
/ O 


Sum of 


absolute 


differences 


= 0 


bZ 


oZ 










26 


z 6 


j=491 








Sum of 


absolute 


-xl- 


-x2- 










. 240 


240 






j=4 96 




210 


210 






-xl- 


-x2- 


180 


180 






200 


200 


150 


150 






175 


175 


120 


120 






150 


150 


90 


90 






125 


125 


60 


60 






100 


100 



~ 2 



75 


75 






100 


100 


50 


50 






80 


80 


25 


25 






60 


60 


Sum of 


absolute 


differences = 


0 


40 


■ 40 










20 


20 


j=497 








Sum of 


absolute differences 


-xl- 


-x2- 










192 


192 






j-502 




168 


168 






-xl- 


-x2- 


144 


144 






152 


152 


120 


120 






133 


133 


96 


96 






114 


114 


72 


72 






95 


95 


48 


48 






76 


76 


24 


24 






57 


57 


Sum of 


absolute 


differences = 


0 


38 


38 










19 


19 


j-498 








Sum of 


absolute \ differences 


-xl- 


-x2- 








i 


184 


184 






j=503 


j 


161 


161 






-xl- 


-x2- 


138 


138 






144 


144 


115 


115 






126 


126 


92 


92 






108 


108 


69 


69 






90 


90 


46 


46 






72 


• 

72 


23 


23 






54 


54 


Sum of 


absolute 


differences = 


0 


36 


36 










18 


18 


j=499 








Sum of 


absolute ! differences 


-xl- 


-x2~ 










176 


176 






j-504 


i 


154 


154 






-xl- 


-x2- 


132 


132 






136 


136 | 


110 


110 






119 


119 j 


88 


88 






102 


102 


66 


66 






85 


85 


44 


44 






68 


68 


22 


22 






51 


51 


Sum of 


absolute 


differences = 


0 


34 


34 | 










17 


11 \ 



j=500 
-xl- 
168 
147 
126 
105 
84 
63 
42 
21 



-x2- 
168 
147 
126 
105 

84 

63 

42 

21 



Sum of absolute differences = 0 

j=501 

-xl- -x2- 
160 160 
140 140 
120 120 



= 0 



- 0 



Sum of absolute (differences « 0 



j=505 
-xl- 
128 
112 
96 
80 
64 
48 
32 
16 



-x2- 
128 
112 

96 

80 

64 

48 

32 

16 



Sum of absolute! differences 



j-506 

-xl- -x2- 
120 120 



105 


105 


-xl- 


-x2- 


90 


90 


80 


80 


75 


75 


70 


70 


60 


60 


60 


60 


45 


45 


50 


50 


30 


30 


40 


40 


15 


15 


30 


30 


Sum of 


absolute differences = 0 


20 


20 






10 


10 


j-507 


: 


Sum of absolute; differences 


-xl- 


-x2- 






112 


112 


j=512 




98 


98 


-xl- 


-x2- 


84 


84 


72 


72 


70 


70 


63 


63 


56 


56 


54 


54 


42 


42 


45 


45 


28 


28 


36 


36 ! 

i 


14 


14 


27 


27 



Sum of absolute differences = 0 



j=508 
-xl- 
104 
91 
78 
65 
52 
39 
26 
13 



-x2- 

104 
91 
78 
65 
52 
39 
26 
13 



Sum of absolute differences .= 0 



Sum of absolute differences 



j=511 



18 18 



Sum of absolute i differences = 0 
octave : 63> who ■ 

*** currently compiled functions: 

clock columns date holesl 

holes2 num2str rem rows 

*** local user variables: 



M 



Np 



err 



xl x2 



j-509 




octave : 64> 


size (M) 


-XI- 


-x2- ! 


ans = 




96 


96 






84 


84 


1 1 


i 


72 


72 






60 


60 


octave : 65> 


size [xl) 


48 


48 


ans = 


i 

i 


36 


36 




! 


24 


24 


8 1 


] 


12 


12 






Sum of absolute differences ~ 0 


octave : 66> 


size (err) 






ans = 




j-510 








-xl- 


• -x2- 


512 1 


r 


88 


88 




max (ibs (err) ) 

i 


77 


77 


octave: 67> 


66 


66 


ans = 0 


55 


55 


octave: 68> 


'Simple hole finding function 


44 


44 


works ! 1 




33 


33 


ans = Simple hole finding function works! 


22 


22 


octave :69> clock 


11 


11 


ans = 





octave :70> diary off 



R- 



HOLES3.M 



function [k # h] = holes3 (y,p,M) ; 

% h = holes3 (y,p,M) 

% CONFIDENTIAL AND PROPRIETARY 

% Edwin A. Suominen 

% Finds "holes" - skipped values of set {0,l}^N in result 
% of x*y mod p . 

% Uses equation discovered by EAS 9/16/00 

% Number of values in set S:{0,l}*N 
% M = 2 A N; 

k = p- (M+l) ; 

% For vector inputs . . . 
for i=l: length (y) 

□ for j=l:k f 

^ ## Input values between M+l and p will of necessity 
## be mapped to holes (values not produced by inputs 

IS ## from set {l,2,..,M} because xy mod p is a bijectio: 

£j . ##. (See HAC 1.8 Definition) 

## h(j,i) = rem( (M + j)*y f p) ; 

p ## Equation above is simple but doesn't work when 

yj ## M < xy < p (which happens rarely, but it happens). 




h(j,i) = M+l - rem ( j *y (i) -k, p) ; 
endf or 



m 



endf or 



if (nargout>=2) 

k = l:k; k=k' ; 
endif 



endfunction 



s 



TEST3.M 

TESTS EACH INPUT FOR ALL KEYS IN SPACE 



## TEST3.M 

## Block size is 10 bits. Input is taken from set Z : { 1, 2, . . • 1024 } 
## Because of EAS-invented "pseudogroup" operation, output also 
## falls in set Z. 

## Keys are also taken from set Z - any set element is OK. 

## This test proves the following: 

## (1) Output set is same as input set Z. 

## (2) Each input value has a unique output value, \ for a given 
## key value. 

## (3) The output value from "encrypt. m" can be converted back to 
## the input value with "decrypt .m, " given the key j value. 
## (4) For a given input value, each key value produces a unique 
## output value. 

## Written for Octave (GNU MATLAB alternative} 

i 

## No paging - want current screen output j 
page_screen_output=0 ; 

## Set values defining set and underlying group order 
N = 10; M = 2 A N; # M =1024 

k = 7; p = M+k; # p = 1031 (prime) j' 

## Create empty matrix of output values 
A = zeros (M) ; 

## Define vector with elements of set Z 
v = linspace (1,M,M) ; 

## Create string matrix of 1 - T neutral values for test condition codes 

cc = [ 1 -RESULTS- ; 1 key: 1234 1 ] ; # Header 

## for each key value... j 

for i = 1:M 

## insert key value before neutrals 

ccr = [num2str (i) , T : — — 1 ]; 

## Leading zeros to make columns line up 

if i<10, ccr = [ ! 0' ccr]; endif 

if i<100, ccr = [ ! 0 T ccr]; endif 

if i<1000/ ccr - ['0 1 ccr]; endif 

cc (i+2, : ) = ccr; 
endfor 

############ PART ONE OF TWO ############## 

disp( ['Tests 1-3, for each key value in set 1, 2, . . i 1 , num2str (M) ] ) ; 
disp( f 1 f ) ; 



## For all possible key values in Z. 
for i = 1:M 



## Show progress 

disp ([ 'Encrypting and decrypting with key y= ' , num2str (i) , ' . . . 1 ] ) ; 

## Set key value for this iteration 
y = v(i) ; 

## Encrypt all possible input values in set Z with key 
b = encrypt (v,y,N, k) ; j 

A(:,i) = b'; # Add this output vector to output matrix 

I 

## Test for conditions (1), (2) now 
b = sort(b); # Sort ascending 

disp( ['Output set: min= ? , num2str (min (b) ) , ' , max=t , num2str (max (b) ) ] ) 



##### Test Condition (1) ##### 
if ( max(b)==M ) 

disp ( 'Output set is same as input set.'); 
cc(i+2,7) = ' + '; 
else 

disp ( 'PROBLEM: Output set larger or smaller than input set!') 
cc(i+2,7) = 'o ! ; 
endif 



##### Test Condition (2) ##### 
## Each input value should have a unique output value, for a given 
## key value. 

b = diff(b); # Get differentials between sorted Elements 
if ( min(b)— 1 & max (b) ==1 ) 

disp ('All elements in output set are unique.') 

cc(i+2,8) = '+'; 
else 

disp (' PROBLEM: skipped or duplicated element (si in output set!'); 
cc(i+2,8) = ! o T ; 
endif 



##### Decrypt output values for this key ##### 
b = decrypt (A( : ,i) f y,N, k) 9 ; 



##### Test Condition (3) ##### 



## Get differentials between plaintext-encrypted-decrypted (b) and 
plaintext (v) 

b = b - v; # Should be all zeros if test passes 
if ( (max(abs(b) )==0) ) 

disp ('All elements in input set encrypt and decrypt with key and 
inverse . 1 ) ; 

cc(i+2,9) = ■ + '; 
else 

disp ( 1 PROBLEM: One or more elements do not match in 
encryption/decryption! T ) ; 
cc(i+2,9) = f o ! ; 
endif 

disp ( 1 ' ) ; 

! 

endfor 



############ PART TWO OF TWO ############## 
disp([ T Test 4, for each input value in set 1,2,...}, num2str (M) ] } ; 

'); 



disp ( T 

##### Test Condition (4) ##### 



## For all possible input values in Z, working 

outputs 

for i = 1:M 



with full matrix of 



Q 



## Show progress 

disp ( ['Analyzing outputs for input x= T ,nurn2str (jL) , 1 with all keys in 
set... 1 ]); 

## For a given input value, each key value should produce a unique 
output value. 

b = diff (sort (A{i, : ) ) ) ; # Get differentials between sorted elements 
if ( min(b)==l & max (b) ==1 ) 

disp ( T All elements in output set are unique.'); 

cc(i+2,10) = T + f ; 
else 

disp ( 'Skipped or duplicated element (s) in output set. T ); 
cc(i+2,10) = f o T ; 
endif 



dispC 1 ) ; 
endfor 

## Display test results 
disp (cc) 
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RESULTS OF TEST3.M 



octave :14> date 
ans = ES^^^gj^ 

octave :15> clock 
ans - 



octave :16> type test3 

test3 is the script file: /1093-2/test3 .m 
## TEST3.M 

## Block size is 10 bits. Input is taken from set 
Z: {1,2, . . .1024} 

## Because of EAS-invented "pseudogroup" operation, 

output also 

## falls in set Z. 

## Keys are also taken from set Z - any set element is 
OK. 

## This test proves the following: 

## |(&) Output set is same as input set Z. 

## Each input value has a unique output value, for a 

givjefi 

## © y value . 

## y£p) The output value from " encrypt. m" can be converted 

bacf! to 

##'ltte input value with " decrypt. m," given the key value. 
##y8) For a given input value, each key value produces a 
unicSie 



jwtput value. 




## bitten for Octave (GNU MAT LAB alternative) 




paging - want current screen output 
page_screen_output=0 ; 

## Set values defining set and underlying group order 

N - 10; M - 2 A N; # M - 1024 

k = 7; p = M+k; # p - 1031 (prime) 

## Create empty matrix of output values 
A - zeros (M) ; 

## Define vector with elements of set z 
v - linspace (1,M,M) ; 

## Create string matrix of neutral values for test 

condition codes 

cc = [ 1 -RESULTS- '; ' key: 1234']; # Header 
## for each key value . . . 
for i = 1:M 

## insert key value before neutrals 

ccr = [num2str (i) , 1 : • ]; 

## Leading zeros to make columns line up 

if i<10, ccr = ['0' ccr J ; endif 

if i<100, ccr - ['0' ccr]; endif 

if K1000, ccr - ['0' ccr]; endif 

cc(i+2, : ) = ccr; 
endf or 



############ PART ONE OF TWO ############## 
disp([ 'Tests 1-3, for each key value 
1,2, .. . 1 ,num2str(M) ] ) ; 

disp( 1 



in 



set 



1 ) j 



## For all possible key values in z... 
for i = 1:M 



## Show progress 
disp ([ 'Encrypting and 
y=' ,num2str (i) ,'...'])! ; 



decrypting 



with 



## Set key value for this iteration 
y = v ( i ) ; 

## Encrypt all possible input values in set Z with key 
b = encrypt (v, y,N, k)| ; 

A(:,i) = b 1 ; # Add tihis output vector to output matrix 

## Test for conditions (1),{2) now 
b = sort(b); # Sort ; ascending 



disp {[ 'Output i set: 

max=' ,num2str (max (b) ) j) ; 



min= ' , num2str (min (b) ) , ' , 



##### Test Condition (1) ##### 
if ( max (b) ==M ) 

disp( 'Output set : is same as input set. 1 ); 
cc{i+2,7) = «+•; ) 
else 

disp ( 1 PROBLEM: Output set larger or smaller thar 
input set I 1 ) ; 

cc{i+2,7} = 'o'; i 
endif 



##### Test Condition (2) ##### 

## Each input value; should have a unique output value, 
for a given 

## key value. j 

b .= diff(b); # jGet differentials between sortec 
elements j 

if ( min(b)-=l & ma^(b)==l ) 

disp ('All element^ in output set are unique.'); 

cc(i+2,8) = '+'; 
else 

disp ( 'PROBLEM: skipped or duplicated element (s) ir 
output set ! ' ) ; 

cc(i+2,8) = f o«; ; 
endif i 



##### Decrypt output values for this key ##### 
b = decrypt (A (:,i) ,^,N,k) '; 



##### Test Condition (3) ##### 

## Get differentials between plaintext-encrypted- 
decrypted (b) and plaintext (v) 

b = b - v; # Should ;be all zeros if test passes 

if ( (max(abs(b) )=- 0) ) 

disp ('All elements in input set encrypt and decrypt 
with key and inverse. T ) ; 

cc(i+2,9) - '+'; ; 
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else 

disp ( ' PROBLEM: One or more elements do not match in 
encryption/decryption! 1 } ; 
cc(i+2,9) - 'o'; 
endif 

dispf ' 1 ) ; 

endfor 



############ PART TWO OF TWO ############## 

disp (['Test 4, for each input value in set 

1,2, .. . 1 ,num2str <M) ] ) ; 

disp ( 1 

' ) ; 

##### Test Condition (4) ##### 

## For all possible input values in Z, working with full 
matrix of outputs 
for i « 1:M 

## Show progress 

disp ([ 'Analyzing outputs for input x= ' ,num2str (i) , ' 
with all keys in set ...']); 

#fp For a given input value, each key value should 
proHlce a unique output value. 

bfg= diff (sort(A(i, :)) ); # Get differentials between 
sorlld elements 

iiJ( min{b)==l & max(b}==l ) 
ndispCAll elements in output set are unique.'); 
^|c(i+2,10) - •+'; 

«pisp ( 'Skipped or duplicated element (s) in output 
setgW); 

~cc(i+2,10) = »o'; 
etidif 

endgjr 

s irH 

## Jji.splay test results 
disj^tcc) 

octgie:18> test3 

Tests 1-3, for each key value in set 1,2,... 1024 

Encrypting and decrypting with key y=l . . . 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=2 . . . 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=3 . . . 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=4 . . . 
Output set: min=l, max=1024 
Output set is same as input set. 



All elements in output set are unique . 

All elements in input set encrypt and decrypt with ke^ 
and inverse. 

Encrypting and decrypting with key y=5... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke^ 
and inverse . 

Encrypting and decrypting with key y=6... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke^ 
and inverse. 

Encrypting and decrypting with key y=7 . . . 

Output set: min=l, max=1024 

Output set is same as ^ input set. 

All elements in output! set are unique. 

All elements in input set encrypt and decrypt with ke^ 
and inverse . 

Encrypting and decrypting with key y=8... 

Output set: min=l, maX=1024 

Output set is same as input set. 

All elements in output set are unique . 

All elements in input set encrypt and decrypt with ke^ 
and inverse. 

Encrypting and decrypting with key y=9 . . . 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=10... 

Output set: min-1, max=1024 

Output set is same as linput set. 

All elements in output; set are unique. 

All elements in inpulj: set encrypt and decrypt with ke^ 
and inverse. 

i 

Encrypting and decrypting with key y=ll... 

Output set: min=l, max|=1024 

Output set is same as linput set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke^ 
and inverse. 



decrypting 



Encrypting and 
Output set: min=l, max : 
Output set is same as 
All elements in output 
All elements in input 
and inverse 



with key y=12. 
-1024 
input set. 
set are unique, 
set encrypt and 



decrypt with ke^ 



Encrypting and decrypting with key y=13 . . . 

Output set: min=l, max=1024 

Output set is same as dnput set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=14,.. 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input, set encrypt and decrypt with key 
and inverse. 
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Encrypting and decrypting with key y-15... 

Output set: min-1, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

■ Encrypting and decrypting with key y=16... 
Output set: min-1, max-1024 
Output set is same as input set. 
All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse . 

Encrypting and decrypting with key y=17 . . . 

Output set: min-1, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=18... 

Output set: min-1, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and^inverse. 

En <|j^pting and decrypting' with key y=19. . . 
Outfit set: min=l, max-1024 
Outjg|it set is same as input set. 
AlljT|lements in output set are unique. 

Ali ^elements in input set encrypt and decrypt with key 
ancypLnverse. 

Encrypting and decrypting with key y-20... 
Outfit set: min=l, max=1024 
Output set is same as input set. 
A1 4Mr lemen "ts in output set .are unique. 

Allfcfelements in input set encrypt and decrypt with key 
and sin verse . 

Endrfpting and decrypting with key y=21... 
Outpjt set: min=l, max-1024 
Output set is same as input set. 
AllJIlements in output set are unique. 

All? Elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y-22... 

Output set: 'min-1, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse . 

Encrypting and decrypting with key y=23. . . 

Output set: min-1, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=24... 

Output set: min=l, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=25... 
Output set: min-1, max-1024 



Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke} 
and inverse. 

Encrypting and decrypting with key y=26... 

Output set: min=l, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse . 

Encrypting and decrypting with key y-27... 

Output set: min-1, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke\ 
and inverse. 

Encrypting and decrypting with key y=28... 

Output set: min-1, ma*=1024 

Output set is same as 'input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke\ 
and inverse. 

Encrypting and decrypting with key y=29... 

Output set: min-1, max-1024 

Output set is same as input set. 

All elements in output! set are unique. 

All elements in input set encrypt and decrypt with ke\ 
and inverse. 

Encrypting and decrypting with key y-30... 

Output set: min-1, max-1024 

Output set is same as ; input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke^ 
and inverse. 

Encrypting and decrypting with key y=31... 

Output set: min-1, max=1024 

Output set is same as ; input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke^ 
and inverse. 

Encrypting and decrypting with key y=32... 

Output set: min-1, max-1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with kev 
and inverse. 

Encrypting and decrypting with key y-33... 

Output set: min-1, max^l024 

Output set is same as :input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y-34... 

Output set: min-1, max-1024 

Output set is same as iinput set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y-35... 

Output set: min=l, max=1024 

Output set is same as Iinput set. 

All elements in output set are unique. 
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Output set is same as input set. 
■ All elements in output set are unique. 
All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=1014... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y-1015... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=1016... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse . 

Encrypting and decrypting with key y=1017... 
Outfit set: min=l, max=1024 
Outg|t set is same as input set. 
Allfjlements in output set are unique. 

AllM^lements in input set encrypt and decrypt with key 
andflnverse. 

Endbgfpting and decrypting with key y=1018... 
Outfit set: min=l, max=1024 
0ut @ t set is same a s input set. 
A1 ^.f lements in output set are unique. 

All^elements. in input set encrypt and decrypt with key 
and« inverse . 

Endpfpting and decrypting with key y=1019... 
Output set: min=l, max=1024 
Output set is same as input set. 
A11 F3 lerrients in output set are unique, 

AlWllements in input set encrypt and decrypt with key 
andf Inverse . 

Encrjfpting and decrypting with key y=1020... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=1021... 

Output set: ndn-1, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with key 
and inverse . 

Encrypting and decrypting with key y=1022... 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt- and decrypt with key 
and inverse. 

Encrypting and decrypting with key y=1023... 
Output set: min=l / max=1024 
Output set is same as input set. 
All elements in output set are unique. 



All elements in input set encrypt and decrypt with ke\ 
and inverse. 

Encrypting and decrypting with key y=1024 . . . 

Output set: min=l, max=1024 

Output set is same as input set. 

All elements in output set are unique. 

All elements in input set encrypt and decrypt with ke\ 
and inverse. 

Test 4, for each input value in set 1,2,... 1024 

Analyzing outputs for input x=l with all keys in set... 
All elements in output set are unique. 

Analyzing outputs for input x-2 with all keys in set... 
Skipped or duplicated : element (s) in output set. 

Analyzing outputs for \ input x=3 with all keys in set... 
Skipped or duplicated ^element (s) in output set. 

Analyzing outputs for \ input x=4 with all keys in set... 
Skipped or duplicated \ element (s) in output set. 

Analyzing outputs for i input x=5 with all keys in set... 
Skipped or duplicated ; element {s) in output set. 

Analyzing outputs for input x-6 with all keys in set... 
Skipped or duplicated I element (s) in output set. 

Analyzing outputs for iinput x=7 with all keys in set... 
Skipped or duplicated jelement (s) in output set. 

Analyzing outputs for input x=8 with all keys in set... 
Skipped or duplicated element (s) in output set. 

Analyzing outputs for j input x=9 with all keys in set... 
Skipped or duplicated ielement (s ) in output set. 

Analyzing outputs for j input x-10 with all keys in set... 
Skipped or duplicated Ielement (s) in output set. 

Analyzing outputs for j input x-11 with all keys in set... 
Skipped or duplicated ielement (s) in output set. 

Analyzing outputs for j input x-12 with all keys in set... 
Skipped or duplicated j element (s) in output set. 

Analyzing outputs for ; input x-13 with all keys in set...' 
Skipped or duplicated element (s) in output set. 

Analyzing outputs for j input x=14 with all keys in set... 
Skipped or duplicated j element (s) in output set. 

Analyzing outputs for : input x=15 with all keys in set... 
Skipped or duplicated ^element (s) in output set. 



Analyzing outputs for 
Skipped or duplicated 

Analyzing outputs for j input x=17 
Skipped or duplicated ^element (s) 

Analyzing outputs for input x=18 
Skipped or duplicated ^element (s) 

Analyzing outputs for ! input x=19 
Skipped or duplicated Ielement (s) 

Analyzing outputs for [input x=20 
Skipped or duplicated ^element (s) 



input x=16 with all keys in set. 
element (s) in output set. 



with all keys in set. 
in output set. 

with all keys in set. 
in output set. 

with all keys in set. 
in output set. 

with all keys in set. 
in output set. 



Analyzing outputs for :input x=21 with all keys in set. 
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Analyzing outputs for input x=995 with all keys in set. 
Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=996 with all keys in set.. 
Skipped or duplicated element (s) in output set. 

. Analyzing outputs for input x=997 with all keys in set.. 
Skipped or duplicated element (s) in output set. 

Analyzing -outputs for input x-998 with all keys in set.. 
Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=999 with ail keys in set.. 
Skipped or duplicated element (s) in output; set. 

Analyzing outputs for input x-1000 with all keys 
set... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x«1001 with all keys 
set . . . 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=1002 with all keys 
' set. . . 

Skipped or duplicated element (s) in output set. 

Ana SI 2in 9 outputs for input x=1003 with all keys 

Skived or duplicated element (s) in output set. 

Analyzing outputs for input x=1004 with all keys 
setfg . 

Skived or duplicated element (s) in output set. 

Analyzing outputs for input x-1005 with all keys 
set&y. 

Skipped or duplicated element (s) in output set. 

Anatfzing outputs for input x=1006 with all keys 
setyj . 

Skig|ed or duplicated element (s) in output set. 

Analyzing outputs for input x=1007 with all keys 
setQ . 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=1008 with all keys 
set... 7 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=1009 with all keys 
set... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=1010 with all keys 
set... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x=1011 with all keys 
set... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x-1012 with all keys 
set ... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x-1013 with all keys 
set... 

Skipped or duplicated element (s) in output set. 



in 



in 



in 



Analyzing outputs for input x-1014 with all keys ii 
set. . . 

Skipped or duplicated j element (s) in output set. 

Analyzing outputs for input x=1015 with all keys iz 
set... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs for input x«1016 with all keys ii 
set... 

Skipped or duplicated element (s) in output set. 

Analyzing outputs fdr input' x=1017 with all keys ir 
set ... 

Skipped or duplicated j element (s) in output set. 

Analyzing outputs for input x-1018 with all keys ii 
set ... 

Skipped or duplicated element (s ) in output set. 

Analyzing outputs for. input x-1019 with all keys ir 
set. 

Skipped or duplicated \ element <s) in output set. 
Analyzing outputs for input x-1020 with all keys ir 
Skipped or duplicated j element (s ) in output set. 



Analyzing outputs for input x-1021 with all 
set. . . 

Skipped or duplicated j element (s) in output set. 

Analyzing outputs fob input x=1022 with all 
set... 

Skipped or duplicated : element (s) in output set. 

Analyzing outputs foir input x=1023 with all 
set. . . 



Skipped or duplicated 



Skipped or duplicated 



element (s) in output set. 



Analyzing outputs for input x=1024 with all 
set. . . 

element (s) in output set. 



keys ir 



keys ir 



keys ir 



keys ir 



-RESULTS- 

key: 1234 
0001: ++++ 
0002: +++o 
0003: +++o 
0004: +++o 
0005: +++o 
0006: +++o 
0007: +++o 
0008: +++o 
0009: +++o 
0010: +++o 
0011: +++o 
0012: +++o 
0013: +++o 
0014: +++o 
0015: +++o 
0016: +++o 
0017: +++o 
0018: +++o 
0019: +++o 
0020: +++o 
0021: +++o 
0022: +++o 
0023: +++o 
0024: +++o 
0025: +++o 
0026: +++o 
0027: +++o 
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0028: +++o 
0029: +++o 
0030: +++o 
0031: +++o 
0032: +++o 
0033: +++o 
0034: +++o 
0035: +++o 
0036: +++o 
0037: +++o 
0038: +++o 
0039: +++o 
0040: +++o 
0041: +++o 
0042: +-H-0 
0043: +++o 
0044: +++o 
0045: +++o 
0046: +++o 
0047: +++o 
0048: -HH-o 
0049: +++o 
0050: +++o 
0051: +-H-0 
0052: +++o 
0053: +++o 
0054: +++o 
005|^ +++o 
005^ +++o 

oos'M +++o 
005 C3 +++ o 

005j|*i +4-+0 

ooeDy +++o 

006g| +++o 





ooem 


' +++o 


006%M +++o 


0066: 




0061; 




006fe 




0069* 


\ +++o 


007& 




007 ff: +++o 

0072J] +++o 


007$*% +++o 


007^! +++o 


007Sy +++o 


0076: 


+++o 


0077: 


+++o 


0078: 


-H-+0 


0079: 


+++o 


0080: 


+++0 


0081: 


+++o 


0082: 


+++o 


0083: 


+++0 


0084: 


+++0 


0085: 


+++o 


0086: 


+++o 


0087: 


+++0 


0088: 


+++o 


0089: 


+++o 


0090: 


+++o 


0091: 


+++o 


0092: 


+++0 


0093: 


+++o 


0094: 


+++o 


0095: 


+++o 


0096: 


+++o 


0097: 


+++o 


0098: 


+++o 


0099: 


+++0 


0100: 





0101: +++o 
0102: +++o 
0103: +++o 
0104: +++o 
0105: +++o 
0106: +++o 
0107: +++o 
0108: +++o 
0109: +++o 
0110: +++o 
0111: +++o 
0112: +++o 
0113: +++o 
0114: +++o 
0115: +++o 
0116: +++o 
0117: -f-H-o 
0118: +++o 
0119: +++o 
0120: +++o 
0121: +++o 
0122: +++o 
0123: +++o 
0124: +++o 
0125: +++o 
0126: +++o 
0127: +++o 
0128: +++o 
0129: +++o 

0130: +++o ; 

0131: +++o 

0132: +++o 

0133: +++o 

0134: +++o 

0135: +++o 

0136: +++o 

0137: +-h-o 

0138: +++o 

0139: +++o 

0140: +++o 

0141: +++o 

0142: +++o 

0143: +++o 

0144: +++o 

0145: +++o 

014 6: +++o 

0147: +++o 

0148: +++o 

0149: +++o 

0150: +++o 

0151: +++o 

0152: +++o 

0153: +++o 

0154: +++o 

0155: +++o 

0156: +++o 

0157: +++o 

0158: +++o 

0159: +++o 

0160: +++o : 
0161: +++o 
0162: +++o 
0163: +++o 
0164: +++o 
0165: +++o 
0166: +++o 
0167: +++o 
0168: +++o 
0169: +++o 
0170: +++o 
0171: +++o 
0172: +++o 
J 0173: +++o 



0174: +++o 
0175: +++o 
0176: +++o 
0177: +++o 
0173: +++o 
0179: +++o 
0180: +++o 
0181: +++o 
0182: +++o 
0183: +++o 
0184: +++o 
0185: +++o 
0186: +-f+o 
0187: +++o 
0188: -H-+0 
0189: +++o 
0190: +++o 
0191: +++o 
0192: +++o 
0193: +++o 
0194: +++o 
0195: +++o 
0196: +++o 
0197: +++o 
0198: +++o 
0199: +++o 
0200: +++o 
020JU +++o 
020k* +++o 
02 0W +++o 
020 1| +++o 
0205S +++o 
020g +++o 
020iy +++o 

020 ng +++o 

0209T£ +++o 
021# +++o 

02ijyJ +++o 

02l£r +++o 
0213^ +++o 
021 43 +++o 

021 ^ +++o 
02lfej|+++o 
02ldi1+++ o 

021^;H-++O 

• 022Cff:-f++ o 

022 ily +++o 
0222: +++o 
0223: +++o 
0224: +++o 
0225: +++o 
0226: +++o 
0227: ++H-o 
0228: +++o 
0229: +++o 
0230: +++o 
0231: -h-+o 
0232: +++o 
0233: +++o 
0234: +++o 
0235: +++o 
0236: +++o 
0237: +++o 
0238: +++o 
0239: +++o 
0240: +++o 
0241: +++o 
0242: +++o 
0243: +++o 
0244: +++o 
0245: +++o 
0246: +++o 



0247: +++o 
0248: +++o 
0249: +++o 
0250: +++o 
0251: +++o 
0252: +++o 
0253: +++o 
0254: +++o 
0255: +++o 
0256: +++o 
0257: +++o 
0258: +++o 
0259: +++o 
02 60: +++o 
0261: +++o 
0262: +++o 
0263: +++o 
0264: +++o 
02 65: +++o 
0266: +++o 
0267: +++o 
02 68: +++o 
02 69: +++o 
0270: +++o 
0271: +++o 
0272: +++o 
0273: +++o 
0274: -H-+o 
0275: +++o 
0276: +++o 
0277: +++o 
0278: +++o 
0279: +++o 
0280: +++o 
0281: +++o 
0282: +++o 
0283: +++o 
0284: +++o 
0285: +++o 
0286: +++o 
0287: +++o 
0288: +++o 
0289: +++o 
0290: +++o 
0291: +++o 
0292: +++o 
0293: -H-+0 
0294: +++o 
0295: +++o 
0296: +++o 
0297: +++o 
0298: +++o 
02.99: +++o 
0300: +++o 
0301: +++o 
0302: +++o 
0303: +++o 
0304: +++o 
0305: +++o 
0306: +-H-o 
0307: +++o 
0308: +++o 
0309: +++o 
0310: +++o 
0311: +++o 
0312: +++o 
0313: +++o 
0314: +++o 
0315: +++o 
0316: +++o 
0317: +++o 
0318: -H-+0 
0319: +++o 



0320: +++o 
0321: +++o 
0322: +++o 
0323: +++o 
0324: +++o 
0325: +++o 
0326: +++o 
0327: +++o 
0328: +++o 
0329: +++o 
0330: +++o 
0331: +++o 
0332: +++o 
0333: +++o 
0334: +++o 
0335: +++o 
' 0336: +++o 
0337: +++o 
0338: +++o 
0339: -H-+o 
0340: +++o 
0341: +++o 
0342: +++o 
0343: +++o 
0344: +++o 
0345: +++o 
0346: +++o 
034pH +++o 
03^ +++o 
03^5 

03$&Z +++o 
035J3 +++o 
035§| +++o 
035*$! +++o 
03S$k +++o 
035p +++o 
03$f] +++o 
03#4 +++o 
035B: +++o 
035#s +++o 
03^1 +++o 
03 +++o 
036^1 +++o 
03^| +++o 
Q3iil +++o 
036|3 +++o 
03§£| +++o 
03&H +++o 
0368: +++0 
0369: +++o 
0370: +++o 
0371: +++o 
0372: +++o 
0373: +++o 
0374: +++o 
0375: +++o 
0376: +++o 
0377: +++o 
0378: +++o 
0379: +++o 
0380: +++o 
0381: +++o 
0382: +++o 
0383: +++o 
0384: +++o 
0385: +++o 
0386: +++o 
0387: +++o 
0388: -M-+o 
0389: +++o 
0390: +++o 
0391: +++o 
0392: +++o 



0393 


: +++o 


u jy4 


: +++o 


none 


: +++o 




: +4-+o 






0398 


; +++o 


0399 


: +++o 


0400 


+++o 


0401 


+++o 


0402 


+++o 


0403 




0404 


+++o 


0405. 


+++0 


0406: 


+++o 


0407: 


+++o 


0408 : 


+++0 


0409: 


+++o 


0410: 


+++o 


0411 : 


++4-0 


0412 : 


+++Q 


0413 : 


+++o 


0414 : 




0415: 


+++o 


0416: 


+++0 


0417: 


+++o 


0418: 


+++0 


0419: 


+++o 


0420 : 


+++o 


0421: 


+++o 


0422 : 


+++0 


0423 : 


+++o 


0424: 


+++o 


0425 : 


+++o 


0426: 


+++0 


0427: 


+++o 


0428: 


+++o 


0429: 


+++o 


0430: 


+++o 


0431: 


+++o 


0432: 


+++o 


0433 : 


+++0 


0434: 


+++o 


0435: 


+++0 


0436: 


+++o 


0437 : 


+-H-0 


0438: 


+++o 


0439: 


+++0 


0440: 


+++0 


0441: 


+++0 


0442: 


+++o 


0443: 


+++o 


0444 : 


+++o 


0445 : 


+++o 


0446 : 


+++0 


0447 : 


+++o 


0448 : 


+++o 


0449 : 


+++o 


0450 : 


+++0 


0451: 


+++o 


0452: 


+++0 


0453: 


+++o 


0454: 


+++o 


0455: 


+++o 


0456: 


+++0 


0457: 


+++0 


0458: 


+++o 


0459: 


+++o 


0460: 


+++0 


0461: 


+4+0 


0462: 


+++o 


0463: 


+++o 


0464: 


+++o 


0465: 


+++o 



04.66: +++o 
04 67: +++o 
04 68: +++o 
■ 0469: +++o 
0470: +++o 
0471: +++o 
0472: +++o 
0473: +++o 
0474: +++o 
0475: +++o 
0476: +++o 
0477: +++o 
0478: +++o 
0479: +++o 
0480: +++o 
0481: +++o 
0482: +++o 
0483: +++o 
0484: +++o 
0485: +++o 
0486: +++o 
0487: +++o 
0488: +++o 
0489: +++o 
0490: +++o 
0491: -H-+o 
0492: +++o 
049fe +++o 
0494^ +++o 
049§Jf 4-H-o 
049® +++o 
0497|i5| ++-fo 
049jp! +++o 
049§y +++o 
050g3 +++o 
OSoJi +++o 
05 Of? +++o 

osoty +++o 

0504: +++o 

050|i; +++o 

05a*y +++o- 

050*1^1 +++o 
050| : «i +++o 
050 fg +++o 
051 1|] +++o 
051 |r| +++o 
05l|Ji +++o 
051 +++o 
0514: +-H-0 
0515: +++o 
0516: +++o 
0517: +++o 
0518: +++o 
0519: +++o 
0520: +++o 
0521: +++o 
0522: +++o 
0523: +++o 
0524: +++o 
0525: +++o 
0526: +++o 
0527: +++o 
0528: +++o 
0529: +++o 
0530: +-M-0 
0531: +++o 
0532: +++o 
0533: +++o 
0534: +++o 
0535: +++o 
0536: +++o 
0537: +++o 
0538: +++o 



0539: +++o 
0540: +++o 
0541: +++o 
0542: +++o 
0543: +++o 
0544: +++o 
0545: +++o 
054 6: +++o 
0547: +++o 
0548: +++o 
0549: +++o 
0550: +++o 
0551: +++o 
0552: +++o 
0553: +++o 
0554: +++o 
0555: +++o 
0556: +++o 
0557: +++o 
0558: +++o 
0559: +++o 
05 60: +++o 
05 61: +++o 
0562: +++o 
0563: -H-+o 
0564: +++o 
0565: +++o 
0566: +++o 
0567: -H-+o 
0568: +++o 
0569: +++o 
0570: +++o 
0571: +++o 
0572: +++o 
0573: +++o 
0574: +++o 
0575: +++o 
0576: +++o 
0577: +++o 
0578: +++o 
0579: +++o 
0580: +++o 
0581: +++o 
0582: +++o 
0583: +++o 
0584: +++o 
0585: +++o 
0586: +++o 
0587: +++o 
0588: +++o 
0589: +++o 
0590: +++o 
0591: +++o 
0592: +++o 
0593: +++o 
0594: +++o 
0595: +++o 
0596: +++o 
0597: +++o 
0598: +++o 
0599: +++o 
0600: +++o 
0601: +++o 
0602: +++o 
0603: +++o 
0604: +++o 
0605: +++o 
0606: +++o 
0607: -f-f+o 
0608: +++o 
0609: +++o 
0610: +++o 
0611: +++o 



0612: +++o 
0613: +++o 
0614: +++o 
0615: +++o 
0616: +++o 
0617: +++o 
0618: +++o 
0619: +++o 
0620: +++o 
0621; +++o 
0622: +++o 
0623: +++o 
0624: +++o 
0625: +++o 
0626: +++o 
0627: +++o 
0628: ++H-o 
0629: "+++o 
0630: ++'+o 
0631: +++o 
0632: +++o 
0633: +++o 
0634: +++o 
0635: +++o 
0636: +++o 
0637: +++o 
0638: +++o 
063IL& +++o 
064JU, +++o 
064-y +++o 
064fS +++o 
064^ +++o 
0 64E +++o 
064 AS +++o 
064@jj +++o 
0 6475 +++o 
064^f +++o 
0 64kj| +++o 
0650: +++o 
065i^ +++o 
065§# +++o 
065|i;j +++o 
065|^s +++o 
065W +++o 
065^S| +++o 
065ffj +++o 
065fp! +++o 
0659y +++o 
0660: +++o 
0661: +++o 
0662: +++o 
0663: +++o 
0664: +++o 
0665: +++o 
0666: +++o 
0667: +++o 
0668: +++o 
0669: +++o 
0670: +++o 
0671: +++o 
0672: +-H-0 
0673: +++o 
0674: +++o 
0675: +++o 
0676: +++o 
0677: +++o 
0678: +++o 
0679: +++o 
0680: +++o 
0681: +++o 
0682: +++o 
0683: +++o 
0684: +++o 



0685: +++o 
0686: +++o 
0687: +++o 
0688: +++o 
0689: +++o 
0690: +++o 
0691: +++o 
0692: +++o 
0693: +++o 
0694: +++o 
0695: +++o 
0696: +++o 
0697: +++o 
0698: +++o 
0699: +++o 
0700: +++o 
0701: +++o 
0702: +++o 
0703: +++o 
0704: +++o 
0705: +++o 
0706: +++o 
0707: +++o 
0708: -hf+o 
0709: +++o 
0710: +++o 
0711: +++o 
0712: +++o 
0713: +++© 
0714: +++o 
0715: +++o 
0716: +++o 
0717: +++o 
0718: +++o 
0719: +++o 
0720: +++o 
0721: +++o 
0722: +++o 
0723: +++Q 
0724: +++o 
0725: +++o 
0726: +++o 
0727: +++o 
0728: ++H-o 
0729: +++o 
0730: +++o 
0731: +++o 
0732: +++o 
0733: +++o 
0734: +++o 
0735: +++o 
0736: +++o 
0737: +++o 
0738: +++o 
0739: +++o 
0740: +++o 
0741: +++o 
0742: +++o 
0743: +++o 
0744: -HH-o 
0745: +++o 
074 6; +++o . 
0747: +++o 
0748: +++o 
0749: +++o 
0750: +++o 
0751: +++o 
0752: +++o 
0753: +++o 
0754: +++o 
0755: +++o 
0756: +++o 
0757: +++o 



0758: 


+++0 


0759: 


+++o 


0760: 


+++o 


0761: 


+++o 


0762: 


+++0 


0763: 


+++0 


0764: 


+++Q 


0765: 


+++o 


0766: 


+++o 


0767: 


+++o 


0768: 


+++o 


0769: 


+++o 


0770: 


+++0 


0.771: 


+++o 


0772: 


+++o 


0773: 


+.++o 


0774: 


+++o 


0775: 


+++0 


0776: 


+++o 


0777: 


+++o 


0778: 


+++o 


0779: 


+++0 


0780: 


+++0 


0781: 


+++o 


0782: 


+++0 


0783: 


+++o 


0784: 


+++o 


0785: 


+++o 


078fr= +++o 


078TfH +++o 


078E. 


+++o 


078#^ 




079QJB +++o 




+++0 


079 tS 


+++0 



0794g +++o 
079||| +++o 
079$¥ +++o 
0791: +++o 
079S r n +++o 
079Tf s +++o 
08Q(fe +++o 
08 Ofp +++o 
080^ +++o 
OSoJjj +++o 
08049 +++o 
080^1 +++o 
080£f ? +++o 
0807: +++o 
0808: +++o 
0809: +++o 
0810: +++o 
081.1: +++o 
0812: +++o 
0813: +++o 
0814: +++o 
0815: +++o 
0816: +++o 
0817: +++o 
0818: +++0 
0819: +++o 
0820: +++o 
0821: +++o 
0822: +++o 
0823: +++o 
0824: +++o 
0825: +++o 
0826: +++o 
0827: +++o 
0828: -H-+o 
0829: +++o 
0830: +++o 



0831: +++o 
0832: +++o 
.0833: +++o 
0834: +++o 
0835: +4-+0 
083 6: +++o 
0837: +++o 
0838: +++o 
0839: +++o 
0840: +++o 
0841: +++o 
0842: +++o 
0843: +++o 
0844: +++o 
0845: +++o 
0846: +++o 
0847: +++o 
0848: +++o 
0849: +++o 
0850: +++o 
0851: +-H-o 
0852: +++o 
0853: +++o 
0854: +++o 
0855: +++o 
0856: +++o 
0857: +++o 
0858: +++o 
0859: -H-+o 
0860: +++o 
0861: +++o 
0862: +++o 
0863: +++o 
0864: +++o 
0865: +++o 
0866: +++o 
0867: +++o 
0868: +++o 
0869: +++o 
0870: +++o 
0871: +++o 
0872: +++o 
0873: +++o 
0874: -h-+o 
0875: +++o 
0876: +++o 
0877: +++o 
0878: +++o 
0879: +++o 
0880: +++o 
0881: +++o 
0882: +++o 
0883: +++o 
0884: +++o 
0885: +++o 
0886: +++o 
0887: +++o 
0888: +++o 
0889: +++o 
0890: +++o 
0891: -H-+o 
0892: +++o 
0893: +++o 
0894: +++o 
0895: +++o 
0896: +++o 
0897: +++o 
0898: +++o 
0899: +++o 
0900: +++o 
0901: +++o 
0902: +++o 
0903: +++o 



0904: +++o 
0905: +++o 
0906: -H-+o 
0907: +++o 
0908: +++o 
0909: +++o 
0910: +++o 
0911: +++o 
0912: +++o 
0913: +++o 
0914: +++o 
0915: +++o 
0916: +++o 
0917: +++o 
0918: +++o 
0919: +++o 
0920: +++o 
0921: +++o 
0922: +++o 
0923: +++o 
0924: +++o 
0925: +++o 
0926; +++o 
0927: +++o 
0928: +++o 
- 0929: +++o 
0930: +++o 
0931: +++o 
09314 +++o 
033 f% +++o 
0935 +++o 
093§S +++o 
093§| +++o 
093fes +++o 
0938J +++o 

093 Mi +++o 
094(g +++o 

094 15; +++o 

094 W +++o 
0943;: +++o 
0944^3 +++o 
094ff: +++o- 
0944|j+++o 
094'fFj +++o 
094S|S+++o 
094 I +++o 
095Qgjj+++o 

095i5r;+++o 

0952^ +++o 
0953: +++o 
0954: +++o 
0955: +++o 
0956: +++o 
0957: +++o 
095-8: +++o 
0959: +++o 
0960: +++o 
0961: +++o 
0962: +-H-0 
0963: +++o 
0964: +++o 
0965: +++o 
0966: +++o 
0967: +++o 
0968: +++o 
0969: +++o 
0970: +++o 
0971: +++o 
0972: +++o 
0973: +++o 
0974: +++o 
0975: +++o 
0976: +++o 



0977: +++o 

0978: +++o 

0979: +++o 

0980: +++o 

0981: +++o 

0982: +++o 

0983: +++o 

0984: +++o 

0985: +++o 

0986: +++o 

0987: +++o 

0988: +++o 

098 9: +++o 

0990: +++o 

0991: +++o 
I 0992: +++o 
I 0993: +++o 

0994: +++o 

0995: +++o 

0996: +++o 

0997: +++o 

0998: -HH-o 

0999: +++o 
1000: +++o 
1001: +++o 
1002: +++o 
1003: +++o 
1004: +++o 
1005: +++o 
1006: +++o 
1007: ++-fo 
1008: +++o 
1009: +++o 
1010: -H-+0 
1011: +++o 
1012: +++o 
1013: +++o 
1014: +++o 
1015: +++o 
1016: +++o 
1017: +++o 
1018: +++o 
1019: +++o 
1020: +-H-0 
1021: +++o 
1022: +++o 
1023: +++o 
1024: +++o 

octave :19> diary off 



RESULTS OF TEST3B.M 

octave :4> date 

ans = W ^^^^^ ^S, 

octave :5> clock 
ans = 



octave :6> type test3b 

test3b is the script file: /1093-2/test3b.m 
## TEST3B . M 

## Block size is 10 bits. Input is taken from set Z: { 1, 2, . . . 1024 } 
## Because of EAS-invented "pseudogroup" operation, output also 
## falls in set Z. 

## Keys are also taken from set Z - any set element is OK. 

## This test analyzes outputs for a given input over all 
## possible keys. 




U ## Written for Octave (GNU MAT LAB alternative) 

,-sr. . 

w 

jp ## No paging - want, current screen output 

sVi page screen output=0; 
— — 

^ ## Set values defining set and underlying group order 

M N - 10; M - 2 A N; # M = 1024 

Wk - 7; p = M+k; # p = 1031 (prime) 

Ill ## Define vector with elements of set Z 
Q v - linspace(l,M,M) ; 

RJ 

## Define vector of skip/repeat counts 
cc = zeros (1,M) ; 

disp(['Test for each input value in set 1, 2, . . . T , num2str (M) 
disp { 1 : 



m 

i • 



## For all possible input values in Z. 
for i = 1:M 



## Show progress 

disp ([ 'Encrypting with input value y= T , num2str (i) , * . . . ? ] ) 

## Set input value- for this iteration 
x *. v(i) ; 

## Encrypt input 'value with all keys in set Z 
for j = 1:M 

b(j) = encrypt (x,v(j) ,N,k) ; 
endfor 



disp ( [ 1 0utput set: min= T , num2str (min (b) ) , r , max= f , num2str (max (b) ) ] } ; 
dispCM; 



## Identify any skipped or repeated set elements 

## with vector of index numbers 

bl = sort(b); # Sort ascending 

b2 = [diff(bl)']; # Should be all l's... 

b2 - b2~=l; # ...so l's indicate skips/repeats 

Nsr = sum(b2); # Count of skips/repeats 

b3 » b2 .* v(l:M-l); # map index numbers to skips/repeats 
b3 * sort(b3); # Sort ascending 

b4 » b3(M-Nsr:M~l) ; # Select only skips/repeats 
if (Nsr > 0) 

disp (['There are 1 , num2str (Nsr) , < skips & repeats, at:'); 
disp (b4) ; 

disp { ' 

c = zeros (6, Nsr) ; # Start with empty ("0") matrix 

for j = l:Nsr 
fi kl = max (11 b4(j)-2]); 

5 k2 - min( [b4 (j)+3 M] > ; 

% c(l:k2-kl+l, j) =bl(kl;k2); 

21 endfor 

i y 

~f disp(c) 

W endif 

£ 

Q cc(i) = Nsr; # Add this count to vector 

y disp {[ 'Maximum skips & repeats for a given input (so far): 1 , 

f*v disp ( ? ' } ; 

III 

£; endfor 

□ 

RJ . . . 

octave :9> test3b 

Test for each input value in set 1,2,.., 1024 

Encrypting with input value y~l . . . 
Output set: min=l, max=1024 

Maximum skips & repeats for a given input (so far):0 

Encrypting with input value y=2 , . . 
Output set: min-1, max=1024 

There are 6 skips & repeats, at: 

10 518 520 1021 1022 1023 



num2str (max (cc) ) ] ) ; 



8 


515 


517 


1016 


1017 


1018 


9 


516 


517 


1017 


1018 


1020 


10 


517 


518 


1018 


1020 


1022 


10 


517 


518 


1020 


1022 


1024 



11 518 519 1022 1024 0 

12 518 520 .1024 0 0 

Maximum skips & repeats for a given input (so far): 6 

Encrypting with input value y=3. . . 
Output set: min=l, max=1024 

There are 8 skips & repeats, at: 



10 . 


346 


690 


692 


1016 


1018 


1020 


1022 


8 


343 


68 6 


688 


1010 


1012 


1015 


1018 


9 


344 


687 


688 


1011 


1014 


1017 


1020 


10 


345 


688 


689 


1012 


1015 


1018 


1021 


10 


345 


688 


689 


1014 


1017 


1020 


1023 


11 


346 


689 


690 


1015 


1018 


1021 


1024 


12 


347 


689 


691 


1017 


1020 


1023 


0 



Maximum skips & repeats for a given input (so far): 8 

Encrypting with input value y=4 . . . 
Output set: min-1, max=1024 

There are 10 skips & repeats, at: 





3 


260 


519 


523 


778 


1011 


1014 


1017 


1020 


1023 


Oil 


1 


257 


515 


518 


772 


1004 


1008 


1012 


1016 


1020 




2 


258 


516 


519 


773 


1005 


1009 


1013 


1017 


1021 


m 


3 


259 


517 


520 


774 


1006 


1010 


1014 


1018 


1022 




3 


259 


517 


520 


774 


1008 


1012 


1016 


1020 


1024 




4 


260 


518 


521 


775 


1009 


1013 


1017 


1021 


0 




5 


261 


519 


522 


776 


1010 


1014 


1018 


1022 


0 



Maximum skips & repeats for a given input (so far):10 



O Encrypting with input value y=5... 
fel Output set: min=l, max=1024 

||i There are 10 skips & repeats, at: 



6 


212 


418 


624 


830 


1005 


1009 


1013 


1017 


1021 


4 


209 


414 


619 


824 


998 


1003 


1008 


1013 


1018 


5 


210 


415 


620 


825 


999 


1004 


1009 


1014 


1019 


6 


211 


416 


621 


826 


1000 


1005 


1010 


1015 


1020 


6 


211. 


416 


621 


826 


1002 


1007 


1012 


1017 


1022 


7 


212 


417 


622 


827 


1003 


1008 


1013 


1018 


1023 


8 


213 


418 


623 


828 


1004 


1009 


1014 


1019 


1024 



Maximum skips & repeats for a given input (so far): 10 

Encrypting with input value y=6... 
Output set: min=l, max=1024 

There are 10 skips & repeats, at: 



176 


346 


518 


691 


864 


999 


1004 


1009 


1014 


1019 


174 


343 


514 


686 


858 


992 


998 


1004 


1010 


1016 


175 


344 


515 


687 


859 


993 


999 


1005 


1011 


1017 


176 


345 


516 


688 


860 


994 


1000 


1006 


1012 


1018 


176 


345 


516 


688 


860 


996 


1002 


1008 


1014 


1020 


177 


346 


517 


689 


861 


997 


1003 


1009 


1015 


1021 


178 


347 


518 


690 


862 


998 


1004 


1010 


1016 


1022 



v-3 



Maximum skips & repeats for a given input (so far):10 



Encrypting with input value y=7 . . . 
Output set: min=l, max : =1023 

There are 11 skips & repeats, at: 



149 


297 


445 


593 


741 


889 


994 


1000 


1006 


1012 


1018 


147 


294 


441 


588 


735 


882 


986 


993 


1000 


1007 


1014 


148 


295 


442 


589 


736 


883 


987 


994 


1001 


1008 


: 1015 


149 


296 


443 


590 


737 


884 


988 


995 


1002 


1009 


1016 


149 


296 


443 


590 


737 


884 


990 


997 


1004 


1011 


1018 


150 


297 


444 


591 


738 


885 


991 


998 


1005 


1012 


: 1019 


151 


298 


445 


592 


739 


886 


992 


999 


1006 


1013 


: 1020 



Maximum skips & repeats for a given input (so far): 11 

Encrypting with input value y=8 . . . 
Output set: min=l, max=1024 



There are 12 skips & repeats, at: 



3 


4 


261 


520 


521 


779 


988 


995 


1002 


1009 


1016 


1023 


1 


2 


257 


515 


516 


772 


980 


988 


996 


1004 


1012 


1020 


2 


3 


258 


516 


517 


773 


981 


989 


997 


1005 


1013 


1021 


3 


3 


259 


517 


517 


774 


982 


990 


998 


1006 


i 1014 


1022 


3 


3 


259 


517 


517 


774 


984 


992 


1000 


1008 


: 1016 


1024 


3 


4 


260 


517 


518 


775 


985 


993 


1001 


1009 


i 1017 


0 


4 


5 


261 


518 


519 


776 


986 


994 


1002 


1010 


! 1018 


0 



fU ■ 

jj Maximum skips & repeats for a given input (so far) :12 

r ^ Encrypting with input value y=9... 
Output set: min=l, max=1024 

W There are 12 skips & repeats, at: 



9? = 



2 


346 


347 


4 64 


692 


922 


982 


990 


998 


1006 


! 1014 


1022 


1 


343 


344 


459 


686 


915 


974 


983 


992 


1001 


i 1010 


1019 


2 


344 


345 


460 


687 


916 


975 


984 


993 


1002 


; ion 


1020 


2 


345 


345 


461 


688 


917 


976 


985 


994 


1003 


; 1012 


1021 


3 


345 


345 


4 61 


688 


917 


978 


987 


996 


1005 


! 1014 


1023 


4 


345 


346 


462 


689 


918 


979 


988 


997 


1006 


J 1015 


1024 


0 


346 


347 


4 63 


690 


919 


980 


989 


998 


1007 


5 1016 


0 



Maximum skips & repeats for a given input (so far): 12 

Encrypting with input value y=10... 
Output set: min=l, max=1024 



There are 12 skips & repeats, at: 



2 


4 


416 


520 


829 


933 


976 


985 


994 


1003 


i 1012 


1021 


1 


2 


412 


515 


823 


926 


968 


978 


988 


998 


i 1008 


1018 


2 


2 


413 


516 


824 


927 


969 


979 


989 


999 


11009 


1019 


2 


3 


414 


517 


825 


928 


970 


980 


990 


1000 


! 1010 


1020 


3 


3 


414 


517 


825 


928 


972 


982 


992 


1002 


; 1012 


1022 


3 


4 


415 


518 


826 


929 


973 


983 


993 


1003 


; 1013 


1023 


0 


5 


416 


519 


827 


930 


974 


984 


994 


1004 


! 1014 


1024 


turn skips 


& repeats . 


for a < 


given . 


input 


(so far) 


:12 









V- 



17 


35 


53 


19 


37 


55 


20 


38 


56 


21 


39 


57 



Maximum skips & 



71 89 107 

73 91 109 

74 92 110 

75 93 111 
repeats for a 



114 342 458 

114 342 458 

115 343 459 

116 344 460 
given input (so 



687 


687 


859 


687 


687 


859 


687 


688 


860 


688 


689 


861 



far) :12 



Encrypting with input value y=1014... 
Output set: min=l, max=102 4 





There 


are 12 


skips 


Sc 


repeats/ 


at : 














16 


32 


48 




64 


80 


96 


236 


479 


661 


845 


907 


969 




14 


31 


48 




65 


82 


99 


240 


482 


663 


846 


907 


968 




15 


32 


49 




66 


83 


100 


241 


483 


664 


847 


908 


969 




16 


33 


50 




67 


84 


101 


242 


484 


665 


848 


909 


970 




18 


35 


52 




69 


86 


103 


242 


484 


665 


848 


909 


970 




19 


36 


53 




70 


87 


104 


243 


485 


666 


849 


910 


971 




20 


37 


54 




71 


88 


105 


244 


486 


667 


850 


911 


972 




Maximum skips 




repeats for 


a 


given 


input 


(so 


far) : 


12 






Encrypting with input value 


y= 


1015. . 












y= 


Output 


set: min= 


=1, 


max=1024 
















%ss£ 


There 


are 12 


skips 


Sc 


repeats, 


at : 












%S* 


15 


30 


45 




60 


75 


90 


121 


188 


511 


641 


771 


901 




13 


29 


45 




61 


77 


93 


125 


191 


513 


642 


771 


900 




14 


30 


46 




62 


78 


94 


126 


192 


514 


643 


772 


901 




15 


31 


47 




63 


79 


95 


127 


193 


515 


644 


773 


902 




17 


33 


49 




65 


81 


97 


127 


193 


515 


644 


773 


902 




18 


34 


50 




66 


82 


98 


128 


194 


516 


645 


774 


903 


s 


19 


35 


51 




67 


83 


99 


129 


195 


517 


646 


775 


904 


w 


Maximum skips 


i & 


repeats for 


a 


given input 


(so 


far) : 


12 




£3 


Encrypting with 


input 


: value 


y= 


1016. . 












m 

w - 


Output 


set: min= 


■lr 


max=1024 


















There 


are 12 


skips 


i & 


repeats, 


at : 














14 


28 


42 




56 


70 


84 


199 


338 


614 


752 


891 


961 



12 


27 


42 


57 


72 


87 


13 


28 


43 


58 


73 


88 


14 . 


29 


44 


59 


74 


89 


16 


31 


46 


61 


76 


91 


17 


32 


47 


62 


77 


92 


18 


33 


48 


63 ' 


78 


93 



Maximum skips & repeats for a 



203 


341 


616 


753 


891 


960 


204 


342 


617 


754 


892 


961 


205 


343 


618 


755 


893 


962 


205 


343 


618 


755 


893 


962 


206 


344 


619 


756 


894 


963 


207 


345 


620 


757 


895 


964 


ven 


input 


(so 


far) : 


12 





Encrypting with input value y=1017... 
Output set: min=l, max=1024 



There are 12 skips & repeats, at: 



13 


26 


39 


52 


65 


78 


140 


436 


437 


658 


734 


956 


11 


25 


39 


53 


67 


81 


144 


439 


440 


659 


734 


955 


12 


26 


40 


54 


. 68 


82 


145 


440 


441 


660 


735 


956 


13 


27 


41 


55 


69 


83 


146 


441 


441 


661 


736 


957 


15 


29 


43 


57 


71 


85 


146 


441 


441 


661 


736 


957 



v-5 



16 30 44 58 72 86 147 441 442 662 737 958 

17 31 45 59 73 87 148 442 443 663 738 959 
Maximum skips & repeats for a given input (so far): 12 

Encrypting with input value y=1018... 
Output set: min=l, max=102 4 

There are 12 skips & repeats, at: 



12 


24 


36 


48 


60 


72 


73 


231 


233 


631 


632 


871 


10 


23 


36 


49 


62 


75 


76 


234 


236 


632 


633 


870 


11 


24 


37 


50 


63 


76 


77 


235 


236 


633 


634 


871 


12 


25 


38 


51 


64 


77 


77 


236 


237 


634 


634 


872 


14 


27 


40 


53 


66 


77 


79 


236 


237 


634 


634 


872 


15 


28 


41 


54 


67 


79 


80 


237 


238 


634 


635 


873 


16 


29 


42 


55 . 


68 


80 


81 


237 


239 


635 


636 


874 


;imum skips 


& 


repeats 


for 


a i 


given 


input 


(so 


far) : 


12 





Encrypting with input value y=1019... 
Output set: min=l, max^l024 



s ^ There are 12 skips & repeats, at: 



11 


22 


33 


44 


55 


66 


336 


508 


682 


769 


857 


944 


9 


21 


33 


45 


57 


69 


340 


511 


684 


770 


857 


943 


10 


22 


34 


46 


58 


70 


341 


512 


685 


771 


858 


944 


11 


23 


35 


47 


59 


71 


342 


513 


686 


772 


859 


945 


13 


25 


37 


49 


61 


73 


342 


513 


686 


772 


859 


945 


14 


26 


38 


50 


62 


74 


343 


514 


687 


773 


860 


946 


15 


27 


39 


51 


63 


75 


344 


515 


688 


774 


861 


947 


:imum skips 


v & 


repeats 


s for 


a given input 


(so 


far) : 


12 





W Encrypting with input value y=1020, 
yy Output set: min=l, max=1024 

||l There are 12 skips & repeats, at: 



3 10 


20 


30 


40 


50 


60 


85 


182 


275 


652 ■ 


747 


936 


8 


19 


30 


41 


52 


63 


89 


185 


277 


653 


747 


935 


9 


20 


31 


42 


53 


64 


90 


186 


278 


654 


748 


936 


10 


21 


32 


43 


54 


65 


91 


187 


279 


655 


749 


937 


12 


23 


34 


45 


56 


67 


91 


187 


279 


655 


749 


937 


13 


24 


35 


46 


57 


68 


92 


188 


280 


656 


750 


938 


14 


25 


36 


47 


58 


69 


93 


189 


281 


657 


751 


939 


Maximum skips 


: & 


repeats 


: for 


a < 


given 


input 


(so 


far) : 


12 





Encrypting with input value y-1021... 
Output set: min=l, max=1024 



There are 12 skips & repeats, at: 



9 


18 


27 


36 


45 


54 


199 


407 


510 


615 


616 


823 


7 


17 


27 


37 


47 


57 


203 


410 


512 


616 


617 


822 


8 


18 


28 


38 


48 


58 


204 


411 


513 


617 


618 


823 


9 


19 


29 


39 


49 


59 


205 


412 


514 


618 


618 


824 


11 


21 


31 


41 


51 


61 


205 


412 


514 


618 


618 


824 


12 


22 


32 


42 


52 


62 


206 


413 


515 


618 


619 


825 


13 


23 


33 


43 


53 


63 


207 


414 


516 


619 


620 


826 



Maximum skips & repeats for a given input (so far): 12 

Encrypting with input value y-1022... 
Output set: min-1, max=1024 

There are 12 skips & repeats, at: 



8 


16 


24 


32 


40 


48 


222 


336 


567 


684 


799 


915 


6 


15 


24 


33 


42 


5.1 


226 


339 


569 


685 


799 


914 


7 


16 


25 


34 


43 


52 


227 


340 


570 


686 


800 


915 


8 


17 


26 


35 


44 


53 


228 


341 


571 


687 


801 


916 


10 


19 


28 


37 


46 


55 


228 


341 


571 


687 


801 


916 


11 


20 


29 


38 


47 


56 


229 


342 


572 


688 


802 


917 


12 


21 


30 


39 


48 


57 


230 


343 


573 


689 


803 


918 


imum skips 


: & 


repeats 


i for 


a 


given 


input 


(so 


far) : 


12 





Encrypting with input value y=1023... 
Output set: min=l, max=1024 

There are 12 skips & repeats, at: 

7 14 21 28 35 42 248 249 511 641 771 901 



SSS5 


5 


13 


21 


29 


37 


45 


252 


253 


513 


642 


771 


900 




6 


14 


22 


30 


38 


46 


253 


254 


514 


643 


772 


901 


- J 


7 


15 


23 


31 


39 


47 


254 


254 


515 


644 


773 


902 




9 


17 


25 


33 


41 


49 


254 


254 


515 


644 


773 


902 




10 


18 


26 


34 


42 


50 


254 


255 


516 


645 


774 


903 


*u 


11 


19 


27 


35 


43 


51 


255 


256 


517 


646 


775 


904 




Maximum skips & 


repeats for 


a i 


given 


input 


(so 


far) : 


12 






Encrypting 


with 


input 


value 


y-1024. . 












Log Output 


set: 


min= 


?1, max=*1024 


















There 


are 12 skips & 


repeats 




at: 














6 


12 


18 


24 


30 


36 


137 


286 


435 


584 


733 


882 




4 


11 


18 


25 


32 


39 


141 


289 


437 


585 


733 


881 




5 


12 


19 


26 


33 


40 


142 


290 


438 


586 


734 


882 




6 


13 


20 


27 


34 


41 


143 


291 


439 


587 


735 


883 




8 


15 


22 


29 


36 


43 


143 


291 


439 


587 


735 


883 




9 


16 


23 


30 


37 


44 


144 


292 


440 


588 


736 


884 




10 


17 


24 


31 


38 


45 


145 


293 


441 


589 


737 


885 




Maximum skips & 


repeats for 


a 


given 


input 


(so 


far) : 


12 





octave :10> date 
ans = | 

octave: 11> clock 
ans ~ 



octave: 12> diary off 



V-7 



line 1 



6 



4 



/ 



500 



1000 



1500 2000 

2oS3 



2500 



W-l 



Pronounceable Passphrase Worksheet 



by Edwin A. Suominen 



Entropy 

About 64 bits, for 
minimum < 



Example Passphrase 
nihudezo dogiz pozubume 



Digit Content Min. Digits 

Alternating consonants (C), Vowels (V) C: 1 1 

C,13: {b,d,gAkAm,n,p,r,s,t,z} V,5: {a,e,i,o 3 n} V: 10 

The vowels and phonetically distinct consonanants below are pseudorandomly distributed, created using alternating 
pseudorandom lookups to a list of consonants b ? d,g,h,k,l,m,n,p,r,s,t,z and vowels a,e,i,o,u. Alternating randomly selected 
consonants and randomly selected vowels from the array below form passphrases that have a faintly Oriental or African sound to 
them, and are more memorable than random alphanumerics. Consonants c,f j,q,v,w,x,y are omitted because the passphrases tend 
to have a more distinct sound and are easier to pronounce without them. 

You should split the consonant/vowel pairs into groups to make the passphrase pronounceable and thus more memorable. 
The suggested way of grouping the minimum 1 1 consonants and 10 vowels is as follows: CVCVCVCV CVCVC CVCVCVCV. 
Note that the middle group begins and ends with a consonant. The resulting passphrase has a distinct sound that makes you 
wonder if the tk words" show up in some foreign language even though they're just groups of randomly chosen letters. 

Unbend a paper clip slightly, repeatedly toss the clip onto a printout of this page without aiming it anywhere in particular, 
and select the consonant/vowel pair to which the unbent end comes closest to get the next digit in your consonant-vowel 
sequence. Don't use both digits from a pair - each digit in your passphrase needs its own toss. With good random tosses, you can 
expect the clip to bounce outside the array of digits below about half the time. Just toss again. Don't aim at any particular region. 
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SECURE PASSPHRASE 

Z2-Z6 illustrate screen shots of a secure passphrase entry system according to 
various aspects of the invention, illustrating an exemplary user interface at different 
points during the input of a passphrase without the use of keystrokes. Thus, the 
security hazard of keystroke loggers can be avoided. In addition, the mouse-based 
input method may be preferred by users over the use of a keyboard, for example when 
they are entering their passphrase to browse encrypted e-mails or files. In an 
experiment the applicant carried out, "entering" the passphrase by the mouse input 
method (simulated by tapping a pen onto a printout similar to Z2-Z6) did not take him 
much longer than typing in the passphrase. 

Advantageously, the passphrase is represented in the illustrated embodiment (as 
it is entered) both as circled letters and has a pair of stair-stepped line segments having 
characteristic shapes. Viewing the passphrase and its associated characteristic shapes of 
the line segments helps the user to remember the passphrase. Human brains are good at 
remembering pronounceable words (even when they are nonsense words) and are also 
good at remembering characteristic shapes. The combination of both characteristics of a 
unique passphrase can be expected to improve the user's ability to remember it when 
the time comes to input the passphrase. 

A delay system according to another aspect of the invention, illustrated in the 
block diagrams of Z7 and Z8, makes a secure delay according to various aspects of the 
invention less unobtrusive to the user. It does so by beginning the delay process when 
the passphrase has been partially entered. Advantageously, such a system performs the 
delay computations substantially in parallel with the unavoidable delay of the user's 
input of the passphrase. Even when typing quickly, it took the applicant at least about 
three seconds to enter the passphrase during his experiment. This is a substantial period 
of delay that, when made computationally unavoidable, makes cracking the 2 A 48 
possible combinations of the randomly chosen passphrase nearly impossible with the 
computing horsepower available around the date of filing of the present application. 
(See Z9 and Z10 for a detailed computational analysis.) The screen shots of Z2-Z6 show 
the "private key delayed unlocking" beginning with the first ] consonant-vowel pair 
entered by the user. The delayed unlocking (the inventive "computationally 
unavoidable" delay) continues substantially in parallel with the user's input of 
additional consonant-vowel pairs. Note Z6, in which the passphrase is confirmed and 
the private key has been completely unlocked. 
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Number of consonants 1 3 

Number of vowels 5 

Combinations in each CV pair 65 

Pairs 8 

Total Combinations 318,644,812,890,625 

Base-2 Entropy 48 

Mean Input Times ^ erffc ^ 

Touch typing (fast), hidden digits 4.70 ($ec N = ( 63+ 4+ 5+ 5.1+ 4.1)/5 

Tough typing (fast), digits shown 3.88 J =(3.8+ 3.5+ 3.4+ 3.5+ 5.2)/5 

Mouse, drag line through digits 9.32 = (9.7+ 9.2+ 9.8+ 8.9+ 9)/5 

Mouse, click on digits 8.28 * (8+ 8.2+ 8.9+ 8+ 8.3)/5 

Set total delay to minimum total input time 3.88 (s^C*^ 
(Keeps user from noticing the delay) 

Software (equivalent machine) 
Attack Analysis 

Total number of seconds for all delayed 

B combinations (on equivalent machine) 1 ,236,341 ,874,01 5,620 
r ; Average number of years on equivalent T^*«*v4W fccr«st 

- machine (1/2 total) 19,602,072 ^ «"*f«»V^ V 1 ™*^ 



ru 



Effective lifetime of signing key (years) 20 
Performance multiplier at end of life (Moore's 

law) ' 10,321 
, Total number of seconds for all delayed 

m combinations (on future machine) 1 1 9,785,790,491 

L 5 Number of future machines in network 1,000 

H Average number of years on future ^ <*rVO*> -ly 

% machine network (172 total) 0.95 IJ >Wt&*^ u n 

I Massively 'Parallel Hardware (FPGA, < L * ^ ?*^M*Af 

m ASIC) Attack Analysis ix V * h *U * t 

: ~ Budget (current equivalent dollars) 1,000,000 4?-^ e*«^H £ ^ 

Cost per FPGA or ASIC (with NRE) 400 ! ^ Tof S^. ^ 

Number of available parallel branches in *5 h si vjt^ 

budget 2,500 ^ i 

Number of parallel branches operating ^ «Ls 

simulateously 2,048 
Performance multiplier of each branch over 

equivalent machine 100 
Total performance multiplier over 

equivalent machine 204,800 

Total number of seconds for all delayed 

combinations 6,036,825,557 

Average number of years (1/2 total) 96 T^r«4i c <>\ Wv^n £Ctj<^ \\j\J 

Effective lifetime of signing key (years) 20 w ] U<"$c WA^c6 



Performance multiplier at end of life 
(Moore's law) 



10,321 



Total number of seconds for all delayed 
combinations (on future hardware system) 584,892 

Average number of days on future 

machine (1/2 total) 



But here's where the key lookup helps 
protect against such attacks... 

Random keys in key lookup table 

Size of each key (in bytes) 
Total memory for lookup table (bytes) 
Total fast SRAM memory for all branches 
(bytes) 

Total MB of fast SRAM memory 

Cost per MB of SRAM (current equivalent 
dollars) 
Total cost of SRAM 

(See budget above.) 



3.38 



8,192 
16 

131,072 

268,435,456. 
262,144 

10 

2,621,440 
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SECURE DELAY OF HASH OUTPUT 

A secure delay according to various aspects of the present inventions can be 
applied in other areas than just passphrase security. For example, a hash value can be 
run through a secure delay to produce a smaller hash value that would be 
computationally infeasible to derive based on a birthday attack. In one conceived 
embodiment, a 160-bit hash value is repeatedly run through a secure delay for a 
predetermined number of iterations that, given a security selection, corresponds to an 
acceptable unit delay. (An example of an acceptable unit delay is 1 second.) At the end 
of each unit delay, a sub-hash is computed from the current output of the secure delay 
and displayed. 

A person wishing to compare hash values can begin comparing a first group of 
digits corresponding to the first sub-hash after the first unit delay, and while the second 
unit delay is underway. When the person looks for the second group of digits to 
compare, the second unit delay (when optimally chosen) is already completed and the 
third unit delay is underway. 

Thus, a securely delayed hash system according to various aspects of the 
inventions can provide a smaller hash value with the same security as the larger hash 
value from which it is derived. The loss in entropy in the smaller value is offset by the 
computational difficulty (from the secure delay) of obtaining the smaller value. An 
attacker wishing to find a larger hash value that produces the smaller hash value will 
need to run the secure delay, on average, N2/2 times with the secure delay 
computation for each iteration. 

If T = delay time (on an equivalent processor as that of the legitimate user), then 
T2 = T*N2/2. If T = 1 second, and the required T2 = 1,000,000 CPU years, then the 
required N2 ~= 2 A 21, a much smaller value than, say, 2 A 160. 

Since a hash value is not particularly sensitive, it can be sent freely over in secure 
networks. It is conceivable matjlnternet site can be established for quickly computing 
smaller "sub-hashes" based on transmitted hash values through an open-source, 
standardized secure delay algorithm. However, it is more likely that the market will 
demand simplicity and standardization, and an average delay within the reach of the 
average desktop PC. (The remote-computation model may be useful for portable 
computers, though.) 
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VIRTUAL SIGNATURE PRINTER 

According to various aspects of the present inventions, an electronic record (e.g., 
MS Word document, AUTOCAD drawing, etc.) can be signed by "printing" that record 
to a special "virtual signature printer." An example of a virtual printer is the "PDF 
Writer" printer driver that is installed with the ADOBE ACROBAT software. The 
inventive "virtual signature printer" provides the user with an intuitive, simple way of 
authenticating an electronic record. 

The "virtual signature printer" system produces an output file (or multiple files, 
see below) that can be sent to a recipient for viewing, printing, and validation. The 
recipient can view or print the file (preferably, the file is "backward compatible" 
compatible with widely available viewing software) and, with special software, can 
validate the signature on the file. 

A particularly advantageous way of signing an electronic record that has been 
"printed" this way is with embedded signatures. However, a "virtual signature printer" 
system can employ any suitable technique for signing an Electronic record. The 
following are some examples of output of such a system: 

• A PS or TIFF file (or, with suitable licensing if necessary, a PDF file) 
representing the document, accompanied by a detached PGP-compatible 
signature file. 

• A ZIP file containing a PS, TIFF, or PDF file representing the document 
including a ZIP comment containing a Base-64 PGP-compatible signature. 

• A PGP-signed file containing the document in a PS, TIFF, or PDF file. 
When the signer wishes to electronically sign a document he or she can print the 

document to the virtual signature printer driver, using the print functionality of the 
software used to create the document. The printer driver creates a window in which the 
software requests the signer's authenticating information. The user can enter his or her 
passphrase, apply his or her fingerprint to a fingerprint scanner, insert a smart card, etc. 
The software then computes the digital signature for the document, based on the 
authenticating information or a private key unlocked by the authenticating information, 
and embeds the digital signature with an output file or includes the digital signature in 
a separate file. 
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Law Offices of Thomas Workman 
41 Harrison Street 
Taunton, MA 02780 

& e: Cryptography Technology 

Dear Ted: 

This brief disclosure is an example of a clear-signed document with a simulated 
digital signature (25x13 bits * 325 bits) that resides as a graphic within a signature block 
that is excluded from the signature calculation of the document. In an actual 
implementation, the user will place the signature block in the document and will then 
"print" the document to the digital signature printer driver. The driver will then create a 
graphic file such as a TIFF (multi-page if necessary), remove the (graphics in the region 
where the signature block will go (setting that graphic data to a default blank value), 
compute signature for the entire document except the signature region, and place the 
signature data in the region as graphic-mode text. 

The document's signature can be verified simply by opening it with a customized 
TIFF reader, which will detect the presence of the signature region and will validate the 
signature within it against the data of the document except the graphics within the 
signature block. An option can be provided to put the signature data on an entirely 
separate page of the document (e.g., after the last page), preferably with a facsimile copy 
of the signer's ACL (In such embodiments, the ACI should have a blank space for the 
signature data of document signed with the AO's signing key.) _ q ^ 

An exemplary process is illustrated in the attached FIG. \ , in which a signer 
creates a document (e.g., this letter) using whatever software he (or she) wishes to use (e.g., 
Microsoft Word 97). He then prints the document to the SelfCertify.com virtual TIFF 
printer (call it a "software signature machine"?). The printer driver Software creates a TIFF 
file of the document and displays it in a viewer window. The user interface of the viewer 
window requests the following input from the signer: 

1. Selection of a graphical region within the displayed document for application of 
the signers digital signature "stamp." The user can specify the region by moving 
a dashed box around the screen. The dashed box can have left and right arrows 
within it for navigating to different pages of a multi-page document, and an 
"Sign Here" or "OK" button for applying the digital signature "stamp" at the 
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current location of the box. An unsigned signature page of this letter is attached 
showing what such a box might look like as it is moved around during the 
selection process. 

2. Authentication from the signer to apply his digital signature to the document 
within the digital signature "stamp" at the selected location. As discussed in 
other disclosures, the authentication can be a securely delayed passphrase input. 

When the signer has selected the location of the digital signature stamp and 
provided authentication for its creation, the printer driver software removes all graphic 
information from the selected location. It then computes the digital signature based on (1) 
the remaining data of the TIFF file (exclusive of the location of the stamp) and (2) the 
signer's private key. 

Advantageously, the signed document is in a conventional format (e.g., multi-page 
TIFF) that can be read by any conventional viewer is signature authentication is not 
needed. When signature authentication is needed, a document cdn be viewed using the 
SeIfCerrify.com TIFF viewer (which may be distributed freely to encourage use of 
SelfCertify .corn's digital signature services). 

To verify a digital signature, the viewer searches the graphical rendering of the 
signed document for the distinctive graphical outline of the signature block. Distinctive 
features of the graphical outline can include (1) a distinctive color such as maroon, (2) a 
distinctive line shape such as double parallel lines, and (3) a distinctive line weight such 
as 3.2 points (not an integer or x.5 fraction). All of these distinctive properties are present 
in the simulated signature block for this document. In addition, the signature block can 
have a predetermined size to further identify it. 

Once the viewer software has identified the exact locationof the signature block, 
it removes all of the graphic data of the signature block (up to and including the border) 
and sets it to the default blank value used during signature calculation. It performs an 
optical character recognition of the signature data within the block to obtain the value of 
the digital signature. According to advantageous aspects of the invention disclosed 
elsewhere, the digital signature can be applied to a secure delay to obtain another, larger 
digital signature value. The digital signature value (as shown or as expanded through a 
secure delay) is then validated against the modified TIFF representation of the document 



Very truly yours, 



NOTE: Signature data can be in the 
form of a bar code (1 D or 2D). If 
license to PDF format could be 
obtained, could include signature 
characters as data (not image pixels) 
and search would be very simple 
search for key tag characters in file. 
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5420-2178-9001-76i80-1477 
7731-3376-2645-37*9-9105 



Edwin A. Suominen 



As- 



w 

Thomas E. Workman, Jr., Esq. 
Page 2 

current location of the box. An unsigned signature page of this letter is attached 
showing what such a box might look like as it is moved around during the 
selection process. 

2. Authentication from the signer to apply his digital signature to the document 
within the digital signature "stamp" at the selected location. As discussed in 
other disclosures, the authentication can be a securely delayed passphrase input. 

When the signer has selected the location of the digital signature stamp and 
provided authentication for its creation, the printer driver software removes all graphic 
information from the selected location. It then computes the digital signature based on (1) 
the remaining data of the TIFF file (exclusive of the location of the stamp) and (2) the 
signer's private key. 

Advantageously, the signed document is in a conventional format (e.g., multi-page 
TIFF) that can be read by any conventional viewer is signature authentication is not 
needed. When signature authentication is needed, a document dtn be viewed using the 
SelfCertify.com TIFF viewer (which may be distributed freely to encourage use of 
SelfCertify .corn's digital signature services). 

To verify a digital signature, the viewer searches the graphical rendering of the 
signed document for the distinctive graphical outline of the signature block. Distinctive 
features of the graphical outline can include (1) a distinctive color such as maroon, (2) a 
distinctive line shape such as double parallel lines, and (3) a distinctive line weight such 

as 3.2 points (not an integer or x.5 fr f~ — r 1 :operties are present 

in the simulated signature block for I lis documentjtn^ddition, t3 \ signature block can 
have a predetermined size to furthe 5 de*^, it.l^^j^ I ' 

Once the viewer software he I identified the exact locatiori ^ the signature block, 

it removes all of the graphic data of 1 1 including the border) 

and sets it to the default blank value used duringlsignature calculation. It performs an 
optical character recognition of the signature data within tite block to obtain the value of 
the digital signature. According to advantageousXaspects of the invention disclosed 
elsewhere, the digital signature can be applied to a secure delay to obtain another, larger 
digital signature value. The digital signature value (as shown or as expanded through a 
secure delay) is then validated against the modified TIFF representation of the document. 

Very rally yours, { 
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PEERNET.DRV TIFF Driver converts any document capable of being 
printed by a Windows application into high quality serialized or multi- 
page TIFF images. It is ideal for imaging or archiving applications* It's 
also a handy fife-generation tool for cross-platform article distribution. 

TIFF conversion is as fast as printing. Document scanning is obsolete. 
Paper waste is a thing of the past. 

Features of PEERNET.DRV TIFF Driver 

Append Mode (Version 4 only) 

Build a multi-page file gradually by appending pages to an existing file 
whenever the need arises. 

Color Correction 

Lets you adjust the image's appearance to compensate for monitor non- 
linearity on Windows NT 4.0 and Windows 2000. 

Color Modes 

Color or "Black and White only". 
Color Reduction 

Turn automatic color reduction on or off, to suit your needs. Automatic 
color reduction reduces your image to its fewest number of colors 
without affecting picture quality. In addition, automatic color reduction 
selects the optimal output format for serialized files or the optimal 
output page format for multi-page files. 

Compression 

Turn compression on or off as needed. 
Output Formats 

TIFF True Color Uncompressed or Compressed Packbits ; 
TIFF Monochrome Uncompressed or Compressed CCITT Group 4 
TIFF 256 Color Uncompressed or Compressed Packbits 

Paper Size 

Converts custom documents up to 18.03 x 18.03 inches, or 458 x 458 
millimeters. Supports most paper sizes. 

Resolutions 

100, 200, and 300 DPI resolutions. 
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EZ-Printer for Windows NT 

Print to image file from any application 
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Downloads: 485 
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Yf Requirements: Windows NT 4.0 
^ Purchase Information: Demo: $49-$59 for retail version. 
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EZ-Printer for Windows NT makes it possible to print from 
any application to an image file. It installs itself as a native 
device in the printer control panel. Users can simply 
choose Print and select the EZ-Printer printer from the list 
i^of available printers. Output is in black and white (the 
author has a color version, too) and is automatically saved 
in the file format of choice (DIB BMP, GIF, TIFF, or PNG ). 
The images are automatically sequentially numbered. The 
included viewer will let users see the results immediately. 
This demo version of the driver includes a banner in the 
middle of the image. Virtually no documentation is 
included, so users will need to visit the authors' Website to 
get information or support. Output also seems to be limited 
in resolution, with no apparent way to control the dpi. Still, 
EZ-Printer could be particularly useful for Websites, writing 
documentation, presentations, and many other 
applications. 

Reviewed on Oct 23 1999. 
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PRINT TO SIGNED TIFF FILE A**ecu>r* /\V» 

According to various aspects of the present inventions, a document can be signed 
by printing the document to a TIFF file using a virtual printer driver, e.g. provided by a 
service such as "SelfCertify.com/' (Note that SelfCertify.com is not an operating 
business entity, though the applicant has registered the domain name, and has not 
offered any product or service for sale as of the filing date of the present provisional 
application.) The TIFF file is created as it normally would be except that includes a 
signature block within a suitable field. 

In one embodiment, the signature block is included within the TIFF 
"ImageDescription" field, the ASCII contents of which are excluded from the signature 
calculation of the file. (See AF-3.) In an actual implementation^ the user "prints" the 
document to the digital signature printer driver. The driver will creates the TIFF (multi- 
page if necessary), with blank characters in the fixed-length "ImageDescription" field 
where the signature data is intended to reside (setting that data to a default blank ASCII 
value), compute signature for the entire document with the default blank value in the 
"ImageDescription" field, and place the signature data in the "ImageDescription" field 
as ASCII. 

s 

The document's signature can be verified simply by opening it with a 
customized TIFF reader, which extracts the signature data from the "ImageDescription" 
field and validate it against the data of the document with default blank values 
substituted in the "ImageDescription" field. 

An exemplary process is illustrated in the attached FIG. (AF-4), in which a signer 
creates a document using whatever software he (or she) wishes) to use (e.g., Microsoft 
Word 97). He or she then prints the document to the SelfCertify.com virtual TIFF 
printer. The printer driver software creates a TIFF file of the document and displays it 
in a viewer window. The user interface of the viewer window requests authentication 
from the signer to apply his digital signature to the document. The authentication can 
be a securely delayed passphrase input according to various aspects of the present 
inventions. 

Advantageously, the signed document is in a conventional format (e.g., multi- 
page TIFF) that can be read by any conventional viewer is signature authentication is 
not needed. When signature authentication is needed, a document can be viewed using 
the SelfCertify.com TIFF viewer (which may be distributed freely to encourage use of 
SelfCertify .corn's digital signature services). 

The signer's public key can be included in the signature data along with the 
digital signature and the name of the signer. A facsimile copy oi the key ACI (see, e.g., 
Appendix A) can be appended to the end of the TIFF file after the document pages. 



Having both of these items present in the TIFF file permits a verifier to quickly 
authenticate the signed document. If he or she is satisfied with the integrity of the TIFF 
reader/ verification software he or she has obtained (e.g., from a secure, trusted web 
page of SelfCertify.com), and if he or she is satisfied that the facsimile copy of the ACI 
with its security background digits is not a forgery, he will have everything he needs to 
validate the signature of a person who has not made any prior digitial assigning 
arrangements with him. 

Signing and verification software according to various {aspects of the present 
inventions can be integrated with the GPG ("GNU Privacy Guard") software, which can 
be freely distributed and modified under the GNU Public License. The signing and 
verification software can call the GPG software with parameter passing. The inventor of 
signing and verification software can thus include, generally, a slightly modified TIFF 
printer driver and TIFF reader that calls the GPG software fdr all digital signature 
functionality. All three pieces of software can be released in a single compact package. 

The TIFF reader software can provide the option to output the original TIFF file 
(without signature data in the "ImageDescription" field) along with a PGP-compatible 
detached signature to the file and an ASCII file with the signer's public key. This 
permits less trusting users to verify integrity of the signature and signing key 
(comparing PGPs SHA-1 "fingerprint" to what's shown on the ACI) with their own 
copy of PGP or GPG. 

i 
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Sample 'TmagePescription" Tiff Field 

Tag = 270 
Type = ASCII 

Count = Fixed number of characters in signature block, plus 1 for NUL at 
end. 



Value = 1728 

SELFCERTIFY.COM SIGNATURE DATA -- J 
Signed by: Edwin A. Suominen J 

mQGiBDk8ZlMRBADZZ0behMne0o^L7mu7fa/KfbPx2wLtMSihh3Iit0o6o6e/twYQ J 
3Z27YlIlu9uvhIkdsBrQ7b+N0paKyJAu691eE5gzP8VEdzfLJtCQDXvdO9+H57Er J 
PGicVujuGGIPxvzA7QuyxNxDzndKtFIGO60zn452pWrg/77iA+Ne0CYCuQCg/9I3 J 
6bNa0vf xxUV3CS+/PDo9VpED/ j wquHOyJQYOiO j ZNdaT9ZN8mzRQlPgf yGHuNBpp J 
yoPRhck0nMelBxNG83M2v243M0DUmabCPuGgqOtYKe5YLqAw/iMBlWwp3EctEHGU J 
4 8 r 8 gC7 rYKRHOLosyBf x6 / uQkpGiNeM4 TAI 9QpqVz sbHvF lH5LSJauLbHOSAwTUoM J 
1=4 e/+uBACTQjV15XA+MPwaIxlvZ3lD2iEX/XFLOedxA5XzcN9uVlet+Chxd7xJn66x J 
O w0xzdVLvb/kCdcNY8idJkJVqAUx249S+PymCQFR+sX0pxXCVky4D'gtLDToX0wWlG J 
5 6C0kPzURlAH9jdAUaPc+7SClTdixmOPsLRll+5PzUUVhNj6b8bQgRUFTIEplbmUg J 
pj Mj AwMCA8ZWRAZWVwYXRlbnRzLmNvbT6 JAFQEEBECABQFAj k8 ZlMFCQAiRwAECwMC J 
IE AQIZAQAKCRCRZ8BksUXUY2Y3AKCG99iXRgxGmOssyOC0Lwm/U0yECACfW6R9rI2f J 
■P G+UeNOWE/b2TJDt49La5AgOEOTxmUxAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+2 J 
W 8W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZS J 
f3 Tz09 j dvOmeFXklnN/biudE/F/Ha8g8VHMGHOf Mlm/xX5u/2RXscBqtNbno2gpXI6 J 
Q lBrwvOYAWCvl9I j 9WE5J280gt J3kkQc2azNsOAlFHQ98iLMcf Fst jvbzySPAQ/Cl J 
p WxiN j rtVj LhdONMO /XwXVOO j HRhs 3 j MhLLUq/ z zhsS lAGBGNf I SnCnLWhsQDGcgH J 
|jKXrKlQzZlp+r0ApQTnwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/0V8 J 
y DY5pj51RDGsakRhMebL90b7v9GsbZN6PfTg02upuCi6WUyazabw4J4ZFc7vtpo8x J 
FQOkCofOLmisNim7rOPyWrWOSgHLbcXwMMUUblh/QbggHOWtkkJTzxgN J 
ND4R0gle03PQep4SZgA6/x9OUGWStmzWEt3jk/VdnImS5gDjTtiNHmCX7+ZaCxROiL J 
zO3oDmzIRpWk3+tnekDVhhrDwX51QlzUoCg43hAnfAlQl/KNFBw|/qiol0EvLyJb^ J 
hUzhGqdzd/MJkNHXviOoJyuOnQH+081EME5S2Ej 19epf 4Rf uf 9rh8uR7tl3YEraD J 
wqw04VIcd5n+6F3 199GJAEwEGBECAAwFAj k8ZlMFCQAiRwAACgkpkWf AZLFF1GMG J 
KwCZARTQgJDOM4 0GBpOOJwPlescVP/gAoPIJb/gii^NpbeQmG9UobWiT8PKll J 
=zFrB J 
J 

Signature: J 

iQA/AwUAOhsl j KmKuMvNCWDGEQJ4TACe JpwTCOzNvxKhZVYagl71BEuh.KEMAnj tT J 

SivKAZgC21P/pMrro2HgTf Jo J 
=Adug<NUL>" 
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IMPROVEMENT TO PGP 

By Edwin A. Suominen 



Allowing keys of keyring to exist at different locations 



I would like to follow the advice of some encryption experts to keep my private key 
(or at least a signing key) on removable media (e.g., a floppy disk) for added 
security. However, the only way to do this now is to have my entire PGP keyring on 
that floppy disk, if the key I'm truly worried about is to be secure, I won't want 
to keep that floppy disk where it is easily accessible. Instead, I will want to keep 
my public keys and my encryption key on the hard disk and just my signing private 
keying on a floppy disk. 

According to this proposed improvement, PGPkeys allows users to specify the file 
location of private keys on their keyring. Everything works normally except when an 
"indirect" private key is to be used, e.g., to apply an especially important PGP 
signature to a contract, when that happens, the PGP software looks for the file 
containing the indirect key. if the file is located on removable media that is not 
in the drive, the software prompts the user to insert the removable media containing 
the indirect key. if the file is located on a PGP disk or some other type of 
encrypted volume, the software could simply indicate that the; volume is not present 
and invite the user to mount it. 

After use of the PGP key is complete, the software can advise the user that it is no 
longer needed and that he or she can unmount the volume or put the removable media 
back in its secure location. 



ed@eepatents.com, No Subject 

To: 

From: Ed Suominen <ed@eepatents.com> 

Subject: 

Cc: 

Bcc: ed@eepatents.com 
Attached: 



LAW OFFICES OF LOUIS J. HOFFMAN, P.G 

14614 North Kierland Boulevard, Suite 300 * Scottsdale, Arizona 85254 
Telephone: (480) 948-3295 * Facsimile: (480) 948-3387 

Edwin A. Suominen * Admitted to practice in patent matters before die U.S. Patent Office 
only 

Web Site: http://eepatents.com * PGP Public Key: http://eepatents.com/kev 



BEGIN PGP SIGNED MESSAGE \ 

Hash: SHA1 

JO This is an example of a message that has been signed with preserved 
W formatting and an unobtrusive digital signature around clear-signed 
text, according to various aspects of the present inventions. 

yy BEGIN PGP SIGNATURE 

.s Version: PGP Personal Privacy 6.5.8 

f -jj iQA/AwUBOq03eqiaKuKvNCWDGEQLwpwCePj ly 0iuPEKIeRsSyqTCA7S++MpIAnRPv 

Jf qtttmsePjh/WqGafymg/hVMs 

%J =q40y 

yi END PGP SIGNATURE 



Printed for Ed Suominen <ed@eepatents,com> 



CRYPTOGRAPHIC DOCUMENT DESTRUCTION 



BACKGROUND AND SUMMARY 

In private confidential conversation, two people can have a conversation without 
leaving any record of their conversation. With written or electronic communications, 
however, there is some record of what was said. That record can be difficult to 
eliminate. 

Paper communications such as letters can be shredded if both sender and 
recipient agree that they will destroy their copies. Electronic cqmmunications (e-mail) 
are more difficult to eliminate because backup copies can be made and automatically 
archived onto other locations. It is sometimes surprising that backup copies are 
available during discovery of communications that would be embarrassing. 
Accordingly, there is a need for a system of destroying electronic communications or 
records when the sender and recipient of the conmuinications agree to do so. 

A system according to various aspects of the invention includes: an encryption 
subsystem; and a decryption subsystem, the decryption subsystem using a temporary 
key that can be disposed of to make encrypted communications unreadable. 

DETAILED DESCRIPTION 

An encryption key allows an authorized person to decrypt encrypted 
communications. For example, an encryption key can be a j passphrase, or use a 
passphrase, known only to a person authorized to decrypt communications. According 
to various aspects of the present inventions, the decryption key can be destroyed. A 
passphrase for such a decryption key is preferably forgettable, if or example a random 
alphanumeric string of sufficient length to be secure, j Advantageously, the 
alphanumeric string can be used as a passphrase to open communications or records 
when is desired to do so and then destroyed and forgotten abofit when it is no longer 
desired for such communications or records to ever be decrypted again. 

Operation of one embodiment includes (1) writing an electronic mail message to 
a person; (2) encrypting the communications using an agreed-upon passphrase, 
preferably an alphanumeric random digit string, for example 12 digits in length; (3) 
sending the encrypted message to the recipient; (4) having the recipient type in the 
passphrase to open the encrypted communications; and then alter a predetermined or 
agreed-upon period of time, (5) having both parties destroy the passphrase (throwing 
away a Post-It note upon which the passphrase is written) so that neither the sender nor 
the recipient can ever decrypt the communication again. Preferably, the passphrase is 
used only for a short length of time or limited number of times so that it is impossible 



for either party to remember it. The more random and arbitrary cryptic the passphrase 
is, the more difficult it will be to ever remember. 

Systems according to various aspects of the invention can be useful in the legal 
profession where sometimes legal professionals are called upon to testify about matters 
that were assumed to be privileged but the court determines that they are not for 
whatever reason, as happens in patent practice sometimes. If an attorney or agent has 
communicated with his client using this system, and the client agrees to destroy the 
passphrase after the matter is complete, and the device communicated by the attorney 
or agent is no longer relevant or needed and has been acted upon completely, then it is 
impossible for any court or any party to discover what to parties discussed. 

Even if a backup copy of an electronic mail message is found, a court can 
authorize a cryptananalysis of the message, but if it is encrypted using PGP strong 
encryption, it would be very difficult, effectively impossible, for the opposing party to 
figure out what the message said. 

Embodiments can be employed in other types of communications that are 
encoded in digital form so that they can be encrypted. Even handwritten notes can be 
py scanned into digital form and encrypted. 

Voice messages can be digitized and compressed, entire paper files can be 
archived by scanning and digitizing, and then encrypting into a single encrypted 
archive file with a temporary key that can be disposed of after! a predetermined time, 
which can be set by policy, for example one year. 
| According to another aspect of the invention, the keys need not be remembered 

m or typed in by a human operator at all. According to this aspect, the key is an actual 
hardware device that transmits decrypting authorization indicia for a predetermined or 
agreed-upon period of time and then is incapable of doing so after that. An example of 
such a key is placed between a conventional PC keyboard and a PC. The device 
includes circuitry for reading a decryption key code or indicia from another device such 
as a card having barcodes printed on it or a disposable integrated circuit, which can be 
made in the form of a key. 

The device can be sold with a number of keys that can be used and disposed of 
by the user. For example, if the device is sold with twelve keys with refills of 12 
additional keys available by ordering, the user can encrypted! archive records every 
month with a different key and cost a new (different) key away every month. The user 
may wish to keep the records on file for a period of several months in which case the 
user will begin using a key one month and then put the key into storage for a couple of 
months and then toss the key away, destroying it irretrievably after that period of time. 
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An embodiment using printed cards is less expensive and the keys can be 
disposed of more cheaply but it is more prone to unauthorized or inadvertent 
duplication, in which case the whole purpose of the system might be defeated. The user 
of such a system needs to take precautions that the keys are never duplicated. 

A database of which files correspond to which temporary keys can be created 
according to aspects of the invention so that an administrator can look over the list of 
keys about to expire and ask the persons involved with the effective files whether or not 
they need information from the files before they are destroyed. Paper documents can be 
shredded at the same time the keys are destroyed. If the key for a paper file that has a 
corresponding electronic file is a card, the card can be kept with the paper file and both 
can be destroyed simultaneously. 

The key can be distributed from a sender of information to a recipient who is 
only authorized to access the information for a temporary period of time, for example 
one or two days. The sender of the information, or provider, can demand the key back 
after that period of time. In such a system, the key needs to be difficult to duplicate, for 
example an integrated circuit in the shape of a key. A forgettable password would not 
work for such a system because the user could write it down without telling the sender, 
but the forgettable password system works well when both parties, or all parties 
involved, are in cooperation and consent to destroy the information and the forgettable 
password. 
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CLOCK 3ITTER RANDOM BIT GENERATOR 

This invention uses existing hardware in a standard desktop PC with 
some very compact software to efficiently generate truly random 
numbers. Tell that introductory sentence to any cryptographer and 
they will either (1) beg you tell them how, or (2) dismiss you as an 
ignorant crackpot and lead you to various references talking about 
detecting hard disk read latencies, digitizing thermal noise, 
counting bubbles in fish tanks or lava lamps for generating true 
random numbers. (Pentium in chips have a hardware random number 

y, generator embedded in them, but I'm not sure that the AMD chips do. 

^ In any event, this invention provides random numbers from hardware 
that exists in all PCs today, and the need is still out there for a 

P simple software solution.) I think if they were to read the following 

m paragraphs they would scratch their head and say "now why didn't I 

m* think of that?" 

W a method of generating a random binary bit according to various 

4* aspects of this invention includes: (a) clocking a CPU using a 

y phase-locked loop; (b) beginning a count of CPU clock cycles upon a 

first transition of an independent clock signal (e.g., the PC's 
U ^ e fI"Sl5 e , clock » which generates interrupts on IRQ08 under control of 
>* a 32.768 kHz crystal); (c) recording the number of CPU clock cycles 
W counted upon a second transition of the independent clock signal; and 
D Cd) extracting the least significant bit of the count to serve as a 
*5 random binary bit, 

0 Modern microprocessors use high-frequency clocks that are generated 
IV usin 9 * phase-locked loop (pll) . The pll multiplies a lower-frequency 
crystal oscillator clock signal to generate microprocessor clock, as 
well as other clock signals used in the system. The Intel "CK98 Clock 
Synthesizer/Driver is an example of a chip containing a pll for this 
purpose. 

pll's lock the output frequency of a relatively unstable 
voltage-controlled oscillator to the more stable reference frequency 
of a crystal oscillator. The locking is performed using a feedback 
loop that has particular characteristics. Because phase locking 
cannot be perfect, there is always some "phase noise" or jitter on 
the pll output. This phase noise or jitter causes the frequency of 
the pll output signal to randomly vary within a Gaussian 
distribution. CPU clock generators are not designed to have very low 
phase noise because the exact clock frequency of the CPU is not 
particularly important. (That is in contrast to the type of PLL 
design I m familiar with, for cellphone receivers, where the phase 
noise needs to drop off within a few hundred Hz of the carrier.) The 
PLL of the CK98 chip, for example, specifies that the "ideal closed 
loop Jitter bandwidth" be attenuated 20 DB at 500 kHz, and a graph in 
the chip s data sheet shows the jitter (phase noise) spectrum 



extending out to 50 kHz without significant attenuation. 

with these levels of jitter, the number of CPU clock cycles in any 
given time interval can be expected to have significant variance. The 
high frequency components of the phase noise will integrate over long 
intervals and cancel each other out to some extent, but the number of 
CPU clock cycles over one predetermined time interval will be 
different (in a random fashion) from the number of CPU clock cycles 
over another predetermined time interval of the same length. 

As a time interval gets longer, the number of clock cycles over the 
interval increases and the possibility of an integer difference 
between the number of clock cycles in two separate intervals of the 
same length increases proportionately. However, longer intervals 
permit high frequency variations in instantaneous frequency to cancel 
each other out. H ' 

The probability of any given frequency measured over a given time 
interval is defined as a Gaussian function of the frequency offset 
from the correct PLL' frequency. Thus the probability of any qiiven 
offset frequency measured over a larger time interval can be expected 
to be smaller than the probability of that frequency over the shorter 
time interval, by a scaling factor inversely proportional to the 
square root of the ratio between intervals. So the probability P of 
an offset frequency fdev measured over an interval T is a function 
Pf_dev=P(f_off set)/SQRT(T/c) . if the interval is quadrupled, the 
probability of measuring a given offset frequency over that longer 
interval is 1/2 the probability of measuring that frequency over the 
shorter interval. 

However, the number of clock cycles employed in the frequency 
measurement increases linearly with the length of the interval. The 
c?^iI e ?cr re 2 u 2"S£ deviation (over the interval) represented by a 
fh£ 9 nLhf^ °l d ^ ff f renc ? m clock cycles is inversely proportional to 
the number of clock cycles, so, longer time intervals permit more 
accurate measurement of a given frequency deviation, if an interval 
is quadrupled, the probability of a giveh offset frequency difference 
JhorJer^nterval 1 : 56 differen " is SS ^ability lltJhS" 

In view of the above two paragraphs, it is clear that anv amount nf 
random frequency deviation can be measured so long as ?he interva? is 

de-crease 9 bu? U ?t l£Wl° ba ¥li ty of meas »ring * givln offset wil 15 
of crease, but the ability of the measurement to detect that offset 
^l]j ncr ease faster than the decrease in probability of offset in 
Sp ^ f 5 /" ^ Crude analysis, an additional fac?or may be 
di^rihn^n °f low-frequency deviations in the Gaussian Y 
distribution, it is possible that the integration of the area under 
the Gaussian curve from zero offset to 1/fdev will increase to ?he 
point where a value of fdev=l/T will become likely. 

S^ffl'SEfTlSof a^SSfa^tffi fS d ever? P P^nd 

FAQ 

01: what about other pseudorandom variations caused by other 

li* unrKniiSl?' may slow d 2T the . count in a Predictable fashion? 
Al. Uncorrected variances add, so the presence of anv trulv random 
component in a binary number will result in a random lsb has ToSg as 
the truly random component is at least one LSB in size. 



Q2: How large would the count of CPU clock cycles be with a Pentium 
III running at 500 MHz and a 32.768 kHz interrupt rate from the 
real -time clock? 
A2: 15,258.8 

Q3: Obviously, you can't measure 0.8 clock cycles. You probably can't 
measure integer clock cycles either because of the count routine 
requiring multiple clock cycles, so what sort of resolution could vou 
expect in that count? y 
A3: Probably a count by 3's, or 5086 possible count values, one for 
the increment, one for the branch back, one for unknown 
possibilities. 

Q4: so what is the minimum frequency deviation (in Hertz) you could 
measure over one 30.5 microsecond interrupt interval from the 
real-time clock? 
A4: 98 kHz. 

Q5: what if the frequency offset is unlikely to be that larqe over 
arty given interval, say only a 10% probability? 

A5: Accumulate 100 potentially random bits over 100 real-time clock 
intervals. The chance of every single one of those intervals *not* 
producing a random bit is 0.90M00 = 0.0027%. since at least one of 
the bits will almost certainly be random, simply xor all the bits 
E together and you 11 have a random bit. Note that the specifications 
W of the CK98 clock generator make it seem more likely than 10 percent 
P that you'll see frequency deviations of 98 kHz. 

W If you actually use 200 intervals because of the need to set up 

iy before the next counting interval, the whole process would take six 

yi milliseconds per random bit produced. 

xzz : 
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14.51 Note (computational efficiency of reduction modulo b* — c) 

(i) Suppose that x has 2t base b digits. If I < t/2, then Algorithm 14.47 executes step 2 
at most 5 = 3 times, requiring 2 multiplications by c. In general, if I is approxi- 
mately (s - 2)tj {$ - 1), then Algorithm 14.47 executes step 2 about s times. Thus, 
Algorithm 14.47 requires about si single-precision multiplications. 

(ii) If c has few non-zero digits, then multiplication by c will be relatively inexpensive. 
If c is large but has few non-zero digits, the number of iterations of Algorithm 14.47 
will be greater, but each iteration requires a very simple multiplication. 

14.52 Note (modifications) Algorithm 14.47 can be modified if m — &* -f c for some positive 
integer c < &*: in step 2.2, replace r4~r + r% with r4-r + (-l)V^. 

14.53 Remark (using moduli of a special form) Selecting RS A moduli of the form 6* ± c for 
small values of c limits the choices of primes p and q. Care must also be exercised when 
selecting moduli of a special form, so that factoring is not made substantially easier; this is 
because numbers of this form are more susceptible to factoring by the special number field 
sieve (see §3.2.7). A similar statement can be made regarding the selection of primes of a 
special form for cryptographic schemes based on the discrete logarithm problem. 



14.4 Greatest common divisor algorithms 

Many situations in cryptography require the computation of the greatest common divisor 
(gcd) of two positive integers (see Definition 2.86). Algorithm 2. 1 04 describes the classical 
Euclidean algorithm for this computation. For multiple-precision integers, Algorithm 2. 1 04 
requires a multiple-precision division at step 1 . 1 which is a relatively expensive operation. 
This section describes three methods for computing the gcd which are more efficient than 
the classical approach using multiple-precision numbers. The first is non-Euclidean and 
is referred to as the binary gcd algorithm (§14.4.1). Although it requires more steps than 
the classical algorithm, the binary gcd algorithm eliminates the computationally expen- 
sive division and replaces it with elementary shifts and additions. Lehmer's gcd algorithm 
(§14.4.2) is a variant of the classical algorithm more suited to multiple-precision computa- 
tions. A binary version of the extended Euclidean algorithm is given) in § 14.4.3. 



14.4.1 Binary gcd algorithm 

14.54 Algorithm Binary gcd algorithm 

INPUT: two positive integers x and y with x > y. 
OUTPUT: gcd(x,y). 

2. While both x and y are even do the following: x^r~x/2, y<-yj2, g<-2g. 

3. While x ^ 0 do the following: 

3.1 While x is even do: xi~x/2. 

3.2 While y is even do: y<~y/2, 

3.3 t^~\x-y\/2. 

3.4 If x > y then x+-t; otherwise, y<~-t. 

4. Return(<j • y). 
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$14.3 Multiple-precision modular arithmetic 
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14,3.4 Reduction methods for moduli of special form 

When the modulus has a special (customized) form, reduction techniques can be employed 
to allow more efficient computation. Suppose that the modulus m is a t-digit base b positive 
integer of the form m = b f - c, where c is an J-digit base b positive integer (for some 
I < t). Algorithm 14.47 computes x mod m for any positive integer x by using only shifts, 
additions, and single-precision multiplications of base b numbers. 



14.47 Algorithm Reduction modulo m = 6* - c 

INPUT: a base b, positive integer x f and a modulus m = 5* — c, where c is an J-digit base 
b integer for some I < t. 
OUTPUT: r = a mod m. 

2. While « > 0 do the following: 

2.1 qi+i<-[qiC/&\ 9 r i+1 ^qiC- q i+1 b f . 

2.2 z-fr-i + 1, r<-~ r + vi. 

3. While r > m do: r^-r - m. 

4. Return(r). 



14.48 Example (reduction modulo - c) Let b = 4, m = 935 = (32213) 4? and cc = 31085 - 
(13211231) 4 - Since m 4 5 - (1121) 4 , take c = (1121) 4 . He*e t = 5 and I = 4. 
Table 14.9 displays the quotients and remainders produced by Algorithm 14.47. At the be- 
ginning of step 3, r = (102031) 4 . Since r > m, step 3 computes r 4 m = (3212) 4 . □ 









n 


r 


0 




(132) 4 


(11231)4 


(11231) 4 ; 


1 


(221232) 4 


(2)4 


(21232)4 


(33123) 4 ; 


2 


(2302) 4 


(0)4 


(2302) 4 


(102031)4 



Table 14.9: Reduction modulo m — tf — c (see Example 14.48). 



14.49 Fact (termination) For some integer 5 > 0, q s = 0; hence, Algorithm 14.47 terminates. 

Justification. qiC = ft+ifc* > 0. Sincec < b\qi = (®+i6*/ c )+( r *+i/ c ) > ft+i- 
Since the &'s are non-negative integers which strictly decrease as i increases, there is some 
integer s > 0 such that g s = 0. 

14.50 Fact (correctness) Algorithm 14.47 terminates with the correct residue modulo m. 

Justification, Suppose that s is the smallest index i for which = 0 (i.e., g 5 = 0). Now, 
x = go&* + and q%c = + r i+ i, 0 < £ < s - 1. Adding these equations gives 

* + (E*=o ft) c = (E*=o ft) b * + Et=o r i- since bt = c (mod ro), it follows that 

s - EfLo r * ( mod m )< Hence, repeated subtraction of m from r = X)i=o r * & ives the 
correct residue. 
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